EP2562736A1

EP2562736A1 - Secret sharing system, sharing apparatus, sharing management apparatus, acquiring apparatus, secret sharing method, program and recording medium

Info

Publication number: EP2562736A1
Application number: EP11809735A
Authority: EP
Inventors: Ryo Nishimaki; Koutarou Suzuki
Original assignee: Nippon Telegraph and Telephone Corp
Current assignee: Nippon Telegraph and Telephone Corp
Priority date: 2010-07-23
Filing date: 2011-07-22
Publication date: 2013-02-27
Anticipated expiration: 2031-07-22
Also published as: WO2012011565A1; US20130114815A1; JPWO2012011565A1; JP5379914B2; CN103003857B; US8964988B2; KR101456579B1; EP2562736B1; CN103003857A; KR20130036044A; EP2562736A4

Abstract

A sharing apparatus independently shares a value corresponding to each element θ(ψ, i, β) · g₂ of basis vectors b_i ^*(θ) among each subset SUB(α) consisting of H(α) share management apparatuses PA(α, 1), ..., PA(α, H(α)) to generate share information SH(ψ, i, β, α, h(α)) corresponding to each element θ(ψ, i, β) · g₂. The share management apparatus PA(α, h(α)) generates a share secret value DSH(ψ, α, h(α)) by performing a common calculation common in the subset SUB(α) on common information shared in the subset SUB(α) and the share information SH(ψ, i, β, α, h(α)). An acquisition apparatus generates reconstructed secret values SUBSK(ψ, α) for each subset SUB(α) by performing a reconstruction processing for the subset SUB(α) and generates generation information D^*(ψ) from the reconstructed secret values SUBSK(ψ, α).

Description

[TECHNICAL FIELD]

The present invention relates to a secret sharing technique.

[BACKGROUND ART]

In storage of secret information, risks of loss or destruction and theft of the secret information have to be considered. The risk of loss or destruction can be reduced by storing a plurality of pieces of secret information. However, this measure increases the risk of theft. A solution to eliminate both risks is a secret sharing scheme (SSS) (see Non-patent literatures 1 and 2, for example).
The secret sharing scheme is a scheme in which a plurality of pieces of share information SH(1), ..., SH(N) are generated from secret information MSK and shared among and managed by a plurality of share management apparatuses PA(1), ..., PA(N), and the secret information MSK can be reconstructed only when a predetermined number or more of the pieces of share information SH(1) to SH(N) are obtained. In the following, representative secret sharing schemes will be described.
(N, N) Threshold Secret Sharing Scheme:

According to an (N, N) threshold secret sharing scheme (referred to also as an "N-out-of-N sharing scheme" or "N-out-of-N threshold sharing scheme"), although the secret information MSK can be reconstructed if all the share information SH(1), ..., SH(N) are given, the secret information MSK cannot be obtained at all when N-1 arbitrary pieces of share information SH(φ₁), ..., share(φ_N-1) are given. The following is an example of the (N, N) threshold secret sharing scheme.
- ● SH₁, ..., SH_N-1 are randomly selected.
- ● SH_N = MSK - (SH₁ + ... + SH_N-1) is calculated.
- ● Each piece of share information SH₁, ..., SH_N is shared among a plurality of share management apparatuses PA(1), ..., PA(N) for management.
- ● If all the share information SH₁, ..., SH_N are given, the secret information MSK can be reconstructed by a reconstruction processing according to MSK = SH₁ + ... + SH_N.

The calculation MSK = SH₁ + ... + SH_N for reconstructing the secret information MSK from the share information SH₁, ..., SH_N is linear. Therefore, if the reconstruction processing is performed for share information SH'(1), ..., SH'(N) each piece of which is obtained by performing a liner calculation CALC for each piece of share information SH(1), ..., SH(N) and a value σ as operands, the result of the reconstruction processing is the result of the linear calculation CALC performed for the secret information MSK and the σ as operands. For example, if the reconstruction processing is performed for share information SH'(1) = σ · SH(1), ..., SH'(N) = σ · SH(N), the following value results. $\begin{array}{l} σ \cdot SH (1) + \dots + σ \cdot SH (N) \\ = σ \cdot (SH (1) + \dots + SH (N)) \\ = σ \cdot MSK \end{array}$
On the other hand, if the reconstruction processing is performed for share information SH'(1), ..., SH'(N) each piece of which is obtained by performing a liner calculation CALC for each piece of share information SH(1), ..., SH(N) and each of independent values σ(1), ..., σ(N) as operands, in general, the result of a calculation that involves the secret information MSK as an operand cannot be obtained. For example, the reconstruction processing is performed for share information SH'(1) = σ(1) · SH(1), ..., SH'(N) = σ(N) · SH(N), the following value results. $σ (1) \cdot SH (1) + \dots + σ (N) \cdot SH (N)$
(K_t, N) Threshold Secret Sharing Scheme:

According to a (K_t, N) threshold secret sharing scheme (referred to also as a "K_t-out-of-N sharing scheme" or "K_t-out-of-N threshold secret sharing scheme"), although the secret information MSK can be reconstructed if K_t different arbitrary pieces of share information SH(φ₁), ..., SH(φ_Kt) are given, the secret information MSK cannot be obtained at all if K_t-1 arbitrary pieces of share information SH(φ₁), ..., SH(φ_Kt-1) are given. The subscript "Kt" means K_t. The following is an example of the (K_t, N) threshold secret sharing scheme.
- ● A K_t-1-th order polynomial f(x) = ξ₀ + ξ₁ · x + ξ₂ · x² + ... + ξ_Kt-1 · x^Kt-1 that satisfies f(0) = MSK is randomly selected. That is, ξ₀ = MSK is set, and ξ₁, ..., ξ_Kt-1 are randomly selected. The share information is denoted by SH_ρ = (ρ, f(ρ)) (ρ = 1, ..., N).
- ● If K_t different arbitrary pieces of share information SH(φ₁), ..., SH(φ_Kt) ((φ₁, ..., φ_Kt) ⊂ (1, ..., N)) are obtained, the secret information MSK can be reconstructed by the following reconstruction processing using the Lagrange's interpolation formula, for example.
$MSK = f (0) = λ_{1} \cdot f (φ) (_{1}) + \dots + λ_{Kt} \cdot f (φ_{Kt})$
$λ_{ρ} (x) = \frac{(x - φ_{1}) \dots \overset{ρ}{\lor} \dots (x - φ_{K_{t}})}{(φ_{ρ} - φ_{1}) \dots \overset{ρ}{\lor} \dots (φ_{ρ} - φ_{K_{t}})} \in F_{q}$
Note that "... $\overset{ρ}{\lor}$
..."means that there is not the p-th operand from the top [the denominator element (φ_ρ - φ_ρ), the numerator element (x - φ_ρ)]. That is, the denominator of formula (4) is as follows. $(φ_{ρ} - φ_{1}) \cdot \dots \cdot (φ_{ρ} - φ_{ρ - 1}) \cdot (φ_{ρ} - φ_{ρ + 1}) \cdot \dots \cdot (φ_{ρ} - φ_{Kt})$
The numerator of formula (4) is as follows. $(x - φ_{1}) \cdot \dots \cdot (x - φ_{ρ - 1}) \cdot (x - φ_{ρ + 1}) \cdot \dots \cdot (x - φ_{Kt})$
These relations hold on a field.

The calculation expressed by the formula (3) is linear. Therefore, the value reconstructed from the share information SH'(φ₁), ..., SH(φ_Kt) each piece of which is obtained by performing the linear calculation CALC for each piece of share information SH(φ₁), ..., SH(φ_Kt) and the value σ as operands is equal to the result of the linear calculation CALC performed for the secret information MSK and the value σ as operands. On the other hand, if the reconstruction processing is performed for share information SH'(φ₁), ..., SH'(φ_Kt) each piece of which is obtained by performing the liner calculation CALC for each piece of share information SH(φ₁), ..., SH(φ_Kt) and each of independent values σ(φ₁), ..., σ(φ_Kt) as operands, in general, the result of a calculation that involves the secret information MSK as an operand cannot be obtained.

[PRIOR ART LITERATURE]

[NON-PATENT LITERATURE]

Non-patent literature 1: Kaoru Kurosawa and Wakaha Ogata, "Introduction of Modem Cryptography (Electronics, information and communication lectures series), " Corona Publishing Co., LTD., March 2004, p. 116 to 119.
Non-patent literature 2: A. Shamir, "How to Share a Secret," Communications of the ACM, November 1979, Volume 22, .

[SUMMARY OF THE INVENTION]

[PROBLEMS TO BE SOLVED BY THE INVENTION]

A scheme that satisfies the following conditions is contemplated.
(Condition 1) A sharing apparatus performs the secret sharing of secret information MSK to generate a plurality of pieces of share information SH(1), ..., SH(N), which are distributed among and managed by a plurality of share management apparatuses PA(1), ..., PA(N).
(Condition 2) Each share management apparatus PA(1), ..., PA(N) performs a certain calculation.
(Condition 3) An acquisition apparatus cannot obtain the secret information MSK but can obtain generation information corresponding to the result of a calculation that involves the secret information MSK and an arbitrary value σ as operands if the calculation results are given from a predetermined number or more of share management apparatuses.
However, such a scheme is difficult to implement. That is, if the share management apparatuses PA(1), ..., PA(N) perform their respective calculations using independent values σ(1), ..., σ(N), the acquisition apparatus cannot properly perform the reconstruction processing using the calculation results from the share management apparatuses as the share information and thus cannot obtain desired generation information. However, since the value σ can be used for estimating the generation information, it is unfavorable from the viewpoint of security that all the share management apparatuses PA(1), ..., PA(N) share the same value σ.
The present invention has been made in view of such circumstances, and an object of the present invention is to provide a secure scheme that satisfies the conditions 1 to 3 described above.

[MEANS TO SOLVE THE PROBLEMS]

According to the present invention, a sharing apparatus, ∑α=1 ^L h(α) share management apparatuses PA(α, h(α)) (α = 1, ..., L, L ≥ 2, h(α) = 1, ..., H(α), H(α) ≥ 2) and an acquisition apparatus cooperate to perform a secret sharing processing. The sharing apparatus independently performs the secret sharing of a value corresponding to each element θ(ψ, i, β) · g₂ of basis vectors b_i ^*(ψ) among each subset SUB(α) consisting of H(α) share management apparatuses PA(α, 1), ..., PA(α, H(α)) according to a predetermined secret sharing scheme to generate share information SH(ψ, i, β, α, h(α)) (h(α) = 1, ..., H(α)) corresponding to each element θ(ψ, i, β) · g₂, provided that Ψ denotes an integer equal to or greater than 1, ψ denotes an integer equal to or greater than 0 and equal to or smaller than Ψ (ψ= 0, ..., Ψ), n(ψ) denotes an integer equal to or greater than 1, ζ(ψ) denotes an integer equal to or greater than 0, g₂ denotes a generator of a cyclic group G₂, and the basis vectors b_i ^*(ψ) are n(ψ) + ζ(ψ) - dimensional vectors for θ(ψ, i, β) (i = 1, ..., n(ψ)+ζ(ψ), β = 1, ..., n(ψ) + ζ(ψ), n(ψ) ≥ 1, ζ(ψ) ≥ 1) whose elements are n(ψ)+ζ(ψ) elements of the cyclic group G₂ (i.e., b_i ^*(ψ) = (θ(φ, i, 1) · g₂, ..., θ(ψ, i, n(ψ)+ζ(ψ)) ·g₂) ∈ G₂ ^n(ψ)+ζ(ψ)). The share management apparatus PA(α, h(α)) generates share secret values DSH(ψ, α, h(α)) by performing a common calculation common in the subset SUB(α) on common information shared in the subset SUB(α) and the share information SH(ψ, i, β, α, h(α)) (h(α) = 1, ..., H(α)). The acquisition apparatus generates reconstructed secret values SUBS(ψ, α) for each subset SUB(α) from a plurality of the share secret values DSH(ψ, α, h(α)) for the subset SUB(α) by performing a reconstruction processing for the subset SUB(α) according to the secret sharing scheme, and generates generation information D*(ψ) from the reconstructed secret values SUBSK(ψ, α).
According to the present invention, the basis vectors b_i ^*(ψ), whichare the secret information, are independently secret-shared among the subset SUB(α), and the share secret values DSH(ψ, α, h(α)) are generated using common information shared in each subset SUB(α). In this case, in each subset SUB(α), the reconstruction processing using the share secret values DSH(ψ, α, h(α)) as share information can be properly performed. The common information is shared in each subset SUB(α) but is not shared among all the share management apparatuses PA(α, h(α)), so that high security is ensured.

[EFFECTS OF THE INVENTION]

As described above, the present invention can provide a secure scheme that satisfies the conditions 1 to 3 described above.

[BRIEF DESCRIPTION OF THE DRAWINGS]

[Fig. 1] Fig. 1 is a block diagram for illustrating a general configuration of a secret sharing system according to a first embodiment.
[Fig. 2] Fig. 2 is a block diagram for illustrating a configuration of a sharing apparatus shown in Fig. 1.
[Fig. 3A] Fig. 3A is a block diagram for illustrating a configuration of a share management apparatus according to the first embodiment.
[Fig. 3B] Fig. 3B is a block diagram for illustrating a configuration of a common value generation apparatus according to the first embodiment.
[Fig. 4] Fig. 4 is a block diagram for illustrating a configuration of an acquisition apparatus according to the first embodiment.
[Fig. 5A] Fig. 5A is a block diagram for illustrating details of a secret sharing unit shown in Fig. 2.
[Fig. 5B] Fig. 5B is a block diagram for illustrating details of a share secret value generation unit shown in Fig. 3A.
[Fig. 6] Fig. 6 is a block diagram for illustrating details of a reconstruction unit shown in Fig. 4.
[Fig. 7] Fig. 7 is a diagram for generally illustrating a secret sharing processing according to the first embodiment.
[Fig. 8A] Fig. 8A is a diagram for illustrating a processing of the sharing apparatus according to the first embodiment.
[Fig. 8B] Fig. 8B is a diagram for illustrating details of a processing of Step S112.
[Fig. 9A] Fig. 9A is a diagram for illustrating a processing of the share management apparatus according to the first embodiment.
[Fig. 9B] Fig. 9B is a diagram for illustrating details of a processing of Step S124.
[Fig. 10A] Fig. 10A is a diagram for illustrating a processing of the acquisition apparatus according to the first embodiment.
[Fig. 10B] Fig. 10B is a diagram for illustrating details of a processing of Step S134.
[Fig. 11A] Fig. 11A is a diagram for illustrating a configuration of a secret sharing unit according to a modification 1 of the first embodiment.
[Fig. 11B] Fig. 11B is a diagram for illustrating a configuration of a share secret value generation unit according to modification 1 of the first embodiment.
[Fig. 12A] Fig. 12A is a diagram for illustrating a configuration of a share secret value generation unit according to modification 2 of the first embodiment.
[Fig. 12B] Fig. 12B is a diagram for illustrating a configuration of a reconstruction unit according to modification 2 of the first embodiment.
[Fig. 13A] Fig. 13A is a diagram for illustrating a configuration of a secret sharing unit according to modification 3 of the first embodiment.
[Fig. 13B] Fig. 13B is a diagram for illustrating a configuration of a share secret value generation unit according to modification 3 of the first embodiment.
[Fig. 13C] Fig. 13C is a diagram for illustrating a configuration of a reconstruction unit according to modification 3 of the first embodiment.
[Fig. 14A] Fig. 14A is a diagram for illustrating a configuration of a secret sharing unit according to modification 4 of the first embodiment.
[Fig. 14B] Fig. 14B is a diagram for illustrating a configuration of a share secret value generation unit according to modification 4 of the first embodiment.
[Fig. 14C] Fig. 14C is a diagram for illustrating a configuration of a reconstruction unit according to modification 4 of the first embodiment.
[Fig. 15] Fig. 15 is a diagram illustrating tree-structure data that represents a normal form logical formula.
[Fig. 16] Fig. 16 is a diagram illustrating tree-structure data that represents a normal form logical formula.
[Fig. 17] Fig. 17 is a block diagram for illustrating a general configuration of a secret sharing system according to a second embodiment.
[Fig. 18] Fig. 18 is a block diagram for illustrating a configuration of a sharing apparatus according to the second embodiment.
[Fig. 19A] Fig. 19A is a block diagram for illustrating a configuration of a common value generation apparatus according to the second embodiment.
[Fig. 19B] Fig. 19B is a block diagram for illustrating a configuration of a common value generation apparatus according to the second embodiment.
[Fig. 20] Fig. 20 is a block diagram for illustrating a configuration of a share management apparatus according to the second embodiment.
[Fig. 21] Fig. 21 is a block diagram for illustrating a configuration of an acquisition apparatus according to the second embodiment.
[Fig. 22] Fig. 22 is a diagram for generally illustrating a secret sharing processing according to the second embodiment.
[Fig. 23] Fig. 23 is a diagram for generally illustrating the secret sharing processing according to the second embodiment.
[Fig. 24] Fig. 24 is a diagram for illustrating a processing of the sharing apparatus according to the second embodiment.
[Fig. 25] Fig. 25 is a diagram for illustrating a processing of the share management apparatus according to the second embodiment.
[Fig. 26] Fig. 26 is a diagram for illustrating a processing of the acquisition apparatus according to the second embodiment.
[Fig. 27] Fig. 27 is a diagram for illustrating a processing of a share management apparatus according to modification 1 of the second embodiment.
[Fig. 28] Fig. 28 is a diagram for illustrating the processing of the share management apparatus according to modification 1 of the second embodiment.

[DETAILED DESCRIPTION OF THE EMBODIMENTS]

In the following, embodiments of the present invention will be described with reference to the drawings.

[FIRST EMBODIMENT]

First, a first embodiment of the present invention will be described.

[Definitions]

Terms and symbols used in the description of this embodiment will be defined below.
F_q: F_q represents a finite field having an order q. The order q is an integer equal to or greater than 1, which is a prime number or a power of a prime number, for example. For example, the finite field F_q is a prime field or an extension field of a prime field. If the finite field F_q is a prime field, it can be easily constructed by a remainder calculation modulo q, for example. If the finite field F_q is an extension field, it can be easily constructed by a remainder calculation modulo an irreducible polynomial, for example. A specific construction method for the finite field F_q is disclosed in Reference literature 1 (ISO/IEC 18033-2: Information technology - Security techniques - Encryption algorithms - Part 2: Asymmetric ciphers).
0_F: 0_F represents an additive identity of the finite field F_q.
1_F: 1_F represents a multiplicative identity of the finite field F_q.
E: E represents an elliptic curve defined on the finite field F_q. The elliptic curve E is a set of points comprising a set of points (x, y) consisting of x and y ∈ F_q that satisfy the following Weierstrass equation in an affine coordinate system and a particular point O referred to as a point of infinity. $y^{2} + a_{1} \cdot x \cdot y + a_{3} \cdot y = x^{3} + a_{2} \cdot x^{2} + a_{4} \cdot x + a_{6}$

In the formula, a₁, a₂, a₃, a₄, a₆ ∈ F_q.
A binary calculation + referred to as an elliptic curve addition is defined for arbitrary two points on the elliptic curve E, and a monadic calculation - referred to as an inverse calculation is defined for an arbitrary one point on the elliptic curve E. The facts that a finite set comprising rational points on the elliptic curve E forms a group with respect to the elliptic curve addition and that a calculation referred to as an elliptic curve scalar multiplication can be defined using the elliptic curve addition and specific methods of elliptic curve addition or other elliptic calculations on a computer are well known (see Reference literature 1, Reference literature 2 (RFC 5091: Identity-Based Cryptography Standard (IBCS) #1: Supersingular Curve Implementations of the BF and BB1 Cryptosystems), and Reference literature 3 (Ian F. Blake, Gadiel Serrousi and Nigel P. Smart, "Elliptic Curve Cryptography" published by Pearson Education, ISBN4-89471-431-0), for example).
The finite set comprising the rational points on the elliptic curve E has a subgroup having an order p (p ≥ 1). For example, provided that the number of elements of the finite set comprising rational points on the elliptic curve E is denoted by #E, and p is a large prime number that divides #E, a finite set E[p] consisting of p-division points on the elliptic curve E forms a subgroup of the finite set consisting of the rational points on the elliptic curve E. The "p-division points on the elliptic curve E" means those of the points A on the elliptic curve E whose elliptic curve scalar products p · A on the elliptic curve E satisfy a relation p · A = O.
G: G represents a cyclic group. Specific examples of the cyclic group G include the finite set E[p] comprising p-division points on the elliptic curve E, a subgroup thereof and a quotient group thereof. In this embodiment, a calculation defined on the cyclic group G is additively expressed. That is, χ · Q ∈ G for χ ∈ F_q and Ω ∈ G means that a calculation defined on the cyclic group G is performed χ times on Ω ∈ G₁, and Ω₁ + Ω₂ ∈ G for Ω₁ and Ω₂ ∈ G means that a calculation defined on the cyclic group G is performed on operands Ω₁ ∈ G and Ω₂ ∈ G.
g: g represents a generator of the cyclic group G.

Fig. 1 is a block diagram for illustrating a general configuration of a secret sharing system according to the first embodiment.
As illustrated in Fig. 1, a secret sharing system 1 according to this embodiment comprises a sharing apparatus 110, ∑_α=1 ^L h(α) share management apparatuses [PA(α, h(α)) (α = 1, ..., L, L ≥ 2, h(α) = 1, ..., H(α), H(α) ≥ 2)] 120 - α - h(α), an acquisition apparatus 130 and common value generation apparatuses 140-1 to 140-L, which can communicate with each other via a network 150. For simplicity of explanation, this embodiment will be described with regard to an example where there are only one sharing apparatus 110 and only one acquisition apparatus 130, there can be two or more sharing apparatuses 110 and two or more acquisition apparatuses 130. Similarly, this embodiment will be described with regard to an example where there is only one set of ∑_α=1 ^L h(α) share management apparatuses [PA(α, h(α))] 120-α-h(α), there can be a plurality of such sets.
As illustrated in Fig. 1, the set of ∑_α=1 ^L h(α) share management apparatuses [PA(α, h(α))] 120-α-h(α) is divided into a plurality of subsets SUB(α) each consisting of H(α) share management apparatuses PA(α, 1), ..., PA(α, H(α)). Each subset SUB(α) is associated with a common value generation apparatus 140-α that generates a common value σ(α) shared in the subset SUB(α).

Fig. 2 is a block diagram for illustrating a configuration of the sharing apparatus 110 shown in Fig. 1. Fig. 5A is a block diagram for illustrating details of a secret sharing unit 114-α shown in Fig. 2.
As illustrated in Fig. 2, the sharing apparatus 110 according to this embodiment comprises a temporary storage 111, a storage 112, a controller 113, secret sharing units 114-α (α = 1, ..., L) and a transmitter 115. As illustrated in Fig. 5A, the secret sharing unit 114-α according to this embodiment has a function selection unit 114a-α, an index generation unit 114b-α and a sharing processing unit 114c-α.
The sharing apparatus 110 according to this embodiment is a particular apparatus including a well-known or dedicated computer comprising a central processing unit (CPU), a random access memory (RAM), a read-only memory (ROM) and the like and a particular program. More specifically, the temporary storage 111 and the storage 112 are storage areas provided by a RAM, a register, a cache memory, an element in an integrated circuit or an auxiliary storage device, such as a hard disk, or a combination of at least some of these devices. The controller 113 and the secret sharing unit 114-α (α = 1, ..., L) are processing units implemented by the CPU executing a predetermined program. At least part of the controller 113 and the secret sharing unit 114-α (α = 1, ..., L) can be a particular integrated circuit. The transmitter 115 is a communication device, such as a modem and a local area network (LAN) card.
The sharing apparatus 110 performs each processing under the control of the controller 113. Although only simply described in the following, every data output from each processing unit is stored in the temporary storage 111 or the storage 112. The data stored in the temporary storage 111 or the storage 112 is read as required and input to each processing unit for the processing thereof.

Fig. 3A is a block diagram for illustrating a configuration of the share management apparatus [PA(α, h(α))] 120-α-h(α) according to the first embodiment. Fig. 5B is a block diagram for illustrating details of a share secret value generation unit 124-α-h(α) shown in Fig. 3A.
As illustrated in Fig. 3A, the share management apparatus [PA(α, h(α))] 120-α-h(α) has a temporary storage 121-α-h(α), a storage 122-α-h(α), a controller 123-α-h(α), a share secret value generation unit 124-α-h(α), a transmitter 125-α-h(α) and a receiver 126-α-h(α). As illustrated in Fig. 5B, the share secret value generation unit 124-α-h(α) has a linear calculation unit 124a-α-h(α) and a share secret value synthesis unit 124b-α-h(α).
The share management apparatus [PA(α, h(α))] 120-α-h(α) is a particular apparatus including a well-known or dedicated computer comprising a CPU, a RAM, a ROM and the like and a particular program. More specifically, the temporary storage 121-α-h(α) and the storage 122-α-h(α) are storage areas provided by a RAM, a register, a cache memory, an element in an integrated circuit or an auxiliary storage device, such as a hard disk, or a combination of at least some of these devices. The controller 123-α-h(α) and the share secret value generation unit 124-α-h(α) are processing units implemented by the CPU executing a predetermined program. At least part of the controller 123-α-h(α) and the share secret value generation unit 124-α-h(α) can be a particular integrated circuit. The transmitter 125-α-h(α) and the receiver 126-α-h(α) are communication devices, such as a modem and a local area network (LAN) card.
The share management apparatus [PA(α, h(α))] 120-α-h(α) performs each processing under the control of the controller 123-α-h(α). Although only simply described in the following, every data output from each processing unit is stored in the temporary storage 121-α-h(α) or the storage 122-α-h(α). The data stored in the temporary storage 121-α-h(α) or the storage 122-α-h(α) is read as required and input to each processing unit for the processing thereof.

Fig. 3B is a block diagram for illustrating a configuration of the common value generation apparatus 140-α according to the first embodiment.
As illustrated in Fig. 3B, the common value generation apparatus 140-α according to this embodiment has a random number generation unit 141-α and a transmitter 142-α. The common value generation apparatus 140-α according to this embodiment is a particular apparatus including a well-known or dedicated computer comprising a CPU, a RAM, a ROM and the like and a particular program, for example. And the random number generation unit 141-α can be a particular integrated circuit.

Fig. 4 is a block diagram for illustrating a configuration of the acquisition apparatus 130 according to the first embodiment. Fig. 6 is a block diagram for illustrating details of a reconstruction unit 134-α shown in Fig. 4.
As illustrated in Fig. 4, the acquisition apparatus 130 according to this embodiment has a temporary storage 131, a storage 132, a controller 133, reconstruction units 134-α (α = 1, ..., L), a synthesis unit 137, a transmitter 135 and a receiver 136. As illustrated in Fig. 6, the reconstruction unit 134-α has a coefficient calculation unit 134a-α and a polynomial calculation unit 134b-α.
The acquisition apparatus 130 according to this embodiment is a particular apparatus including a well-known or dedicated computer comprising a CPU, a RAM, a ROM and the like and a particular program. More specifically, the temporary storage 131 and the storage 132 are storage areas provided by a RAM, a register, a cache memory, an element in an integrated circuit or an auxiliary storage device, such as a hard disk, or a combination of at least some of these devices. The controller 133, the reconstruction units 134-α (α = 1, ..., L) and the synthesis unit 137 are processing units implemented by the CPU executing a predetermined program, for example. At least part of the controller 133, the reconstruction units 134-α (α = 1, ..., L) and the synthesis unit 137 can be a particular integrated circuit. The transmitter 135 and the receiver 136 are communication devices, such as a modem and a local area network (LAN) card, for example.
The acquisition apparatus 130 performs each processing under the control of the controller 133. Although only simply described in the following, every data output from each processing unit is stored in the temporary storage 131 or the storage 132. The data stored in the temporary storage 131 or the storage 132 is read as required and input to each processing unit for the processing thereof.

A secret sharing processing according to this embodiment will be described.

[Preprocessing]

As a preprocessing for the secret sharing processing according to this embodiment, information θ ∈ F_q for identifying secret information θ · g ∈ G is stored in the storage 112 of the sharing apparatus 110.

[General Description of Secret Sharing Processing]

Fig. 7 is a diagram for generally illustrating the secret sharing processing according to the first embodiment. In the following, the secret sharing processing according to this embodiment will be generally described with reference to Fig. 7.
According to this embodiment, first, the sharing apparatus 110 (Fig. 1) independently performs the secret sharing of the secret information θ · g ∈ G among each subset SUB(α) to generate pieces of share information SH(α, h(α)) (h(α) = 1, ..., H(α)) and outputs the share information SH(α, h(α)) (Step S11). The pieces of share information SH(α, h(α)) are transmitted and distributed to the respective share management apparatuses [PA(α, h(α))] 120-α-h(α) via the network 150.
Each share management apparatus [PA(α, h(α))] 120-α-h(α) having received the corresponding share information SH(α, h(α)) performs a predetermined common calculation using the share information SH(α, h(α)) and the common information including a common value σ(α) shared in the subset SUB(α) to generate share secret value DSH(α, h(α)), and outputs the share secret value DSH(α, h(α)) (Step S12).
According to this embodiment, the common values σ(α) shared in different subsets SUB(α) are independent of each other. The share management apparatuses [PA(α, h(α))] 120-α-h(α) belonging to the same subset SUB(α) use the same "common information." In particular, the "common information" illustrated in this embodiment includes the common value σ(α) and provided information v common to all the share management apparatuses PA(α, h(α)) 120-α-h(α) provided by the acquisition apparatus 130. The share management apparatuses [PA(α, h(α))] 120-α-h(α) belonging to the same subset SUB(α) perform the same "common calculation". According to this embodiment, all the "common calculations" are the same. The "common calculation" according to this embodiment is a linear calculation.
The share secret value DSH(α, h(α)) output from each share management apparatus [PA(α, h(α))] 120-α-h(α) is transmitted to the acquisition apparatus 130 via the network 150. The acquisition apparatus 130 generates a reconstructed secret value SUBSK(α) by performing a reconstruction processing for each subset SUB(α) using a plurality of share secret values DSH(α, h(α)) for the subset SUB(α) (Step S 13).
Then, the acquisition apparatus 130 generates generation information SK using the reconstructed secret value SUBSK(α) generated for each subset SUB(α) and outputs the generation information SK (Step S14). According to this embodiment, the acquisition apparatus 130 generates the generation information SK by linear combination of the reconstructed secret values SUBSK(α).

[Processing of Sharing Apparatus (Step S 11)]

Fig. 8A is a diagram for illustrating a processing of the sharing apparatus according to the first embodiment, and Fig. 8B is a diagram for illustrating details of the processing of Step S 112. In the following, details of the processing of the sharing apparatus 110 will be described with reference to these drawings.
First, the controller 113 of the sharing apparatus 110 (Fig. 2) sets α at 1 (α = 1) and stores the setting in the temporary storage 111 (Step S111). Then, the information θ ∈ F_q for identifying the secret information θ · g ∈ G is read from the storage 112 and input to the secret sharing unit 114-α. The secret sharing unit 114-α shares the secret information θ · g or the information θ using the information θ ∈ F_q according to a predetermined secret sharing scheme to generate H(α) pieces of share information SH(α, 1), ..., SH(α, H(α)) for each of the subsets SUB(α) and outputs the share information (Step S112).

<<Details of Step S112>>

The secret sharing unit 114-α according to this embodiment generates the share information SH(α, h(α)) (h(α) = 1, ..., H(α)) for each subset SUB(α) by sharing the secret information according to an (R(α), H(α)) threshold secret sharing scheme (R(α) is a constant that satisfies a relation: 2 ≤ R(α) < H(α)).
As illustrated in Fig. 8B, first, the function selection unit 114a-α of the secret sharing unit 114-α (Fig. 5A) randomly selects an R(α)-1-th order polynomial f(α, x) ∈ F_q that satisfies a relation f(α, ω) = θ with regard to a predetermined element ω of the finite field F_q (ω ∈ F_q) and outputs the polynomial (Step S 112a). Note that x represents a variable that is an element of the finite field F_q, and the ω ∈ F_q is 0_F, for example.
Then, the index generation unit 114b-α generates respective indexes φ(h(α)) ∈ F_q for h(α) = 1, ..., H(α) and outputs the indexes (Step S112b). Note that the processing of Step S112b can be omitted if the indexes are h(α), i.e., φ(h(α)) = h(α) ∈ F_q, or the indexes φ(h(α)) ∈ F_q have already been obtained.
Then, the sharing processing unit 114c-α generates the following share information SH(α, h(α)) (h(α) = 1, ..., H(α)) using the polynomial f(α, x) ∈ F_q and the indexes φ(h(α)) ∈ F_q. $SH (α, h (α)) = (φ (h (α)), f (α, φ (h (α))) \cdot g \in G)$

The sharing processing unit 114c-α outputs the share information SH(α, h(α)) (Step S 112c) (this is the end of the description of <<Details of Step S112>>).
Then, the controller 113 determines whether or not the value α stored in the temporary storage 111 equals to L (Step S 113). If it is not determined that α = L, the controller 113 sets α+1 as a new α, stores the setting in the temporary storage 111 (Step S 114), and instructs to perform the processing of Step S 112 using the new α. On the other hand, if it is determined in Step S 113 that α = L, the share information SH(α, h(α)) (α = 1, ..., L) output from each secret sharing unit 114-α is transmitted to the transmitter 115. The transmitter 115 transmits each share information SH(α, h(α)) (α = 1, ..., L) to the corresponding share management apparatus [PA(α, h(α))] 120-α-h(α) (α = 1, ..., L) via the network 150 (Step S 115). That is, the share information SH(1, 1) is transmitted to the share management apparatus [PA(1,1)] 120-1-1, the share information SH(1, 2) is transmitted to the share management apparatus [PA(1,2)] 120-1-2, ..., and the share information SH(L, H(L)) is transmitted to the share management apparatus [PA(L, H(L))] 120-L-H(L).

[Processing of Common value Generation Apparatus]

Each common value generation apparatus 140-α (Fig. 3B) generates the common value σ(α) shared among the share management apparatuses [PA(α, h(α))] 120-α-h(α) forming the subset SUB(α) associated with the common value generation apparatus 140-α. According to this embodiment, each common value σ(α) is a random number generated by the random number generation unit 141-α, and the transmitter 142-α transmits the common value σ(α) to each share management apparatus [PA(α, h(α))] 120-α-h(α) forming the subset SUB(α).

[Processing of Share Management Apparatus (Step S 12)]

Fig. 9A is a diagram for illustrating a processing of the share management apparatus [PA(α, h(α))] 120-α-h(α) according to the first embodiment, and Fig. 9B is a diagram for illustrating details of the processing of Step S124. In the following, the processing of the share management apparatus [PA(α, h(α))] 120-α-h(α) according to this embodiment will be described with reference to these drawings.
First, the receiver 126-α-h(α) of the share management apparatus [PA(α, h(α))] 120-α-h(α) (Fig. 3A) receives the transmitted share information SH(α, h(α)) and stores the share information in the storage 122-α-h(α) (Step S 121). Note that the processing of Step S 121 can be omitted if the share information SH(α, h(α)) has already been stored in the storage 122-α-h(α) of the share management apparatus [PA(α, h(α))] 120-α-h(α).
The receiver 126-α-h(α) of the share management apparatus [PA(α, h(α))] 120-α-h(α) receives the common value σ(α) transmitted from the common value generation apparatus 140-α and stores the common value in the storage 122-α-h(α) (Step S122).
According to this embodiment, the provided information v read from the storage 132 of the acquisition apparatus 130 (Fig. 4) is transmitted by the transmitter 135 to each share management apparatus [PA(α, h(α))] 120-α-h(α) via the network 150. The provided information v is common to all the share management apparatus PA(α, h(α)) 120-α-h(α). The provided information v is received by the receiver 126-α-h(α) of the share management apparatus [PA(α, h(α))] 120-α-h(α) (Fig. 3A) and stored in the storage 122-α-h(α) (Step S 123).
Then, the share secret value generation unit 124-α-h(α) reads the share information SH(α, h(α)), the common value σ(α) and the provided information v from the storage 122-α-h(α). The share secret value generation unit 124-α-h(α) generates the share secret value DSH(α, h(α)) by performing a common calculation FNC 1 using the share information SH(α, h(α)) and the common information including the common value σ(α) and the provided information v, and outputs the share secret value DSH(α, h(α)) (Step S124).

<<Details of Step S124>>

The share secret value generation units 124-α-h(α) of the share management apparatuses PA(α, h(α)) 120-α-h(α) belonging to the same subset SUB(α) use the same common information and perform the same common calculation. The share information according to this embodiment is expressed by the formula (5).
As illustrated in Fig. 9B, first, the common value σ(α), the provided information v and f(α, φ(h(α))) · g of the share information SH(α, h(α)) = (φ(h(α)), f(α, φ(h(α))) · g) are input to the linear calculation unit 124a-α-h(α) of the share secret value generation unit 124-α-h(α) according to this embodiment. The linear calculation unit 124a-α-h(α) performs the following calculation and outputs the calculation result dsh(α, φ(h(α))) (Step S124a). $dsh (α, φ (h (α))) = σ (α) \cdot v \cdot f (α, φ (h (α))) \cdot g \in G$
The output calculation result dsh(α, φ(h(α))) is input to the share secret value synthesis unit 124b-α-h(α). In addition, the index φ(h(α)) of the share information SH(α, h(α)) = (φ(h(α)), f(α, φ(h(α))) · g) is input to the share secret value synthesis unit 124b-α-h(α), and the share secret value synthesis unit 124b-α-h(α) generates the share secret value DSH(α, h(α)) according to the following calculation. $DSH (α, h (α)) = (φ (h (α)), dsh (α, φ (h (α))))$

The share secret value synthesis unit 124b-α-h(α) outputs the share secret value DSH(α, h(α)) (Step S124b) (this is the end of the description of

<<Details of Step S124>>).

The generated share secret value DSH(α, h(α)) is transmitted to the transmitter 125-α-h(α). The transmitter 125-α-h(α) transmits the share secret value DSH(α, h(α)) to the acquisition apparatus 130 via the network 150 (Step S125).

[Processing of Acquisition Apparatus (Steps S 13 and S 14)]

Fig. 10A is a diagram for illustrating a processing of the acquisition apparatus according to the first embodiment, and Fig. 10B is a diagram for illustrating the processing of Step S 134.
The share secret value DSH(α, h(α)) transmitted from each share management apparatus PA(α, h(α)) 120-α-h(α) is received by the receiver 136 of the acquisition apparatus 130 (Fig. 4) and stored in the storage 132 (Step S131).
Then, the controller 133 determines whether or not the number of share secret values DSH(α, h(α)) stored in the storage 132 is equal to or greater than a required number (Step S 132). According to this embodiment, it is determined whether or not R(α) or more different share secret values DSH(α, h(α)) are stored in the storage 132 for each α = 1, ..., L (2 ≤ R(α) < H(α)). If it is not determined that the number of share secret values DSH(α, h(α)) stored in the storage 132 is equal to or greater than the required number, the process returns to the processing of Step S 131.
On the other hand, if it is determined that the number of share secret values DSH(α, h(α)) stored in the storage 132 is equal to or greater than the required number, the controller 133 sets α at 1 (α = 1) and stores the setting in the temporary storage 131 (Step S 133). Then, the required number of share secret values DSH(α, h(α)) for the subset SUB(α) are read from the storage 132 and input to the reconstruction unit 134-α. The reconstruction unit 134-α generates the reconstructed secret value SUBSK(α) by performing a reconstruction processing for each subset SUB(α) according to the secret sharing scheme used in Step S122 described above using the input share secret values DSH(α, h(α)), and outputs the reconstructed secret value SUBSK(α) for the subset SUB(α) (Step S134).

<<Details of Step S134>>

The share secret value DSH(α, h(α)) according to this embodiment is expressed by formula (7). To the reconstruction unit 134-α (Fig. 6), R(α) different share secret values DSH(α, h(α)) are input for each α. In the following, the share secret values DHS(α, h(α)) for each α input to the reconstruction unit 134-α are expressed as follows. $DSH (α, φ_{1} (α)) = (φ_{1} (α), {dsh}_{1} (α))$
$DSH (α, φ_{R (α)} (α)) = (φ_{R (α)} (α), {dsh}_{R (α)} (α))$

Note that the following relations hold. $(φ_{1} (α), \dots, φ_{R (α)} (α)) \subset (φ (1), \dots, φ (H (α)))$
$({dsh}_{1} (α), \dots, {dsh}_{R (α)} (α)) \subset (dsh (α, φ (1)), \dots, dsh (α, φ (H (α))))$
As illustrated in Fig. 10B, the indexes φ₁(α), ..., φ_R(α)(α) of DSH(α, φ₁(α)), ..., DSH(α, φ_R(α)(α)) expressed by formula (8) are input to the coefficient calculation unit 134a-α, and the coefficient calculation unit 134a-α generates the coefficients λ_ρ(x) (p = 1, ..., R(α)) for each ρ = 1, ..., R(α) by performing the calculation expressed by the following formula and outputs the coefficients (Step S 134a). $λ_{ρ} (x) = \frac{(x - φ_{1} (α)) \dots \overset{ρ}{\lor} \dots (x - φ_{R (α)} (α))}{(φ_{ρ} (α) - φ_{1} (α)) \dots \overset{ρ}{\lor} \dots (φ_{ρ} (α) - φ_{R (α)} (α))} \in F_{q}$
The generated coefficients λ_ρ(x) and dsh₁(α), ..., dsh_R(α)(α) of DSH(α, φ₁(α), ..., DSH(α, φ_R(α)(α)) are input to the polynomial calculation unit 134b-α. The polynomial calculation unit 134b-α generates the reconstructed secret value SUBSK(α) for the subset SUB(α) by performing the following calculation. $SUBSK (α) = λ_{1} (ω) \cdot {dsh}_{1} (α) + \dots + λ_{R (α)} (ω) \cdot {dsh}_{R (α)} (α) \in G$

The polynomial calculation unit 134b-α outputs the reconstructed secret value SUBSK(α) (Step S134b) (this is the end of the description of <<Details of Step S134>>).
The controller 133 determines whether or not the value α stored in the temporary storage 131 equals to L (Step S135). If it is not determined that α = L, the controller 133 sets α + 1 as a new α, stores the setting in the temporary storage 131 (Step S136), and instructs to perform the processing of Step S 134 using the new α.
On the other hand, if it is determined in Step S135 that α = L, the reconstructed secret value SUBSK(α) output from each reconstruction unit 134-α is sent to the synthesis unit 137. The synthesis unit 137 generates the generation information SK expressed by the following formula using the reconstructed secret values SUBSK(α) generated for the subsets SUB(α), and outputs the generation information SK (Step S141). $SK = FNC 2 (SUBSK (1), \dots, SUBSK (L))$

<<Details of Step S141>>

The following are specific examples of formula (13). $Specific example 1 : SK = SUBSK (1) + \dots + SUBSK (L) \in G$
$Specific example 2 : SK = {CE}_{1} \cdot SUBSK (1) + \dots + {CE}_{L} \cdot SUBSK (L) \in G$

Note that each CE_α ∈ F_q is a coefficient, for example, a multiplicative inverse of L: (L)^-1 ∈ F_q. Any one of the coefficients CE₁, ..., CE_L can be 0_F. In that case, the generation information SK is generated by using only part of SUBSK(1) + ... + SUBSK(L). In the generation, the synthesis unit 137 can randomly selects the coefficient or coefficients to be set at 0_F from among the coefficients CE₁, ..., CE_L. This improves security. The synthesis unit 137 can also arbitrarily set the coefficients CE₁, ..., CE_L. This allows the acquisition apparatus 130 to generate the generation information SK without using the reconstructed secret values SUBSK(α') for a less reliable subset SUB(α') (this is the end of the description of «Details of Step S141>>).

According to this embodiment, the sharing apparatus 110 performs the secret sharing of the secret information θ ·g ∈ G independently for each subset SUB(α) to generate the share information SH(α, h(α)), each share management apparatus PA(α, h(α)) 120-α-h(α) generates the share secret value DSH(α, h(α)) by performing a common calculation using the share information SH(α, h(α)) and the common information including the common value σ(α) and the provided information v, and the acquisition apparatus 130 generates each of the reconstructed secret values SUBSK(α) by performing a reconstruction processing for each subset SUB(α) using a plurality of share secret values DSH(α, h(α)) for the subset SUB(α) and generates the generation information SK from the reconstructed secret values SUBSK(α).
Since the secret sharing, the common calculation and the reconstruction processing are performed for each subset SUB(α) by using the common value σ(α) shared in the subset SUB(α), these processings are possible. In addition, the value σ is not shared among all the share management apparatuses PA(α, h(α)) 120-α-h(α), but the common value σ(α) is independently shared in each subset SUB(α), so that high security is ensured. In particular, according to this embodiment, the common values σ(α) shared in the different subsets SUB(α) are independent of each other. This ensures high security.
According to this embodiment, all the share management apparatuses PA(α, h(α)) 120-α-h(α) (α = 1, ..., L) performs the same common calculation FNC1. The common calculation FNC1 according to this embodiment is a linear calculation. Therefore, according to this embodiment, the generation information SK can be generated by linear combination of the reconstructed secret values SUBSK(α), so that the generation information SK generated from the reconstructed secret values SUBSK(α) can be the same as the result of the common calculation FNC1 with respect to the secret information θ · g and a certain value σ as operands.
According to this embodiment, the (R(α), H(α)) threshold secret sharing scheme is used to share the secret information θ · g ∈ G among the subset SUB(α). Such an arrangement is possible if the share information SH(α, h(α)) includes an element f(α, φ(h(α))) · g of the cyclic group G (i.e., f(α, φ(h(α))) · g ∈ G) provided that x is a variable that is an element of the finite field F_q, an R(α)-1-th order polynomial that satisfies a relation f(α, ω) = θ for a predetermined element ω of the finite field F_q (ω ∈ F_q) is expressed as f(α, x) ∈ F_q, and the index for h(α) is φ(h(α)). Since the secret information θ · g ∈ G that is an element of the cyclic group is shared by secret sharing, even if the secret information θ · g reconstructed from the share information SH(α, h(α)) leaks to the outside, θ does not leaks to the outside if it is difficult to solve the discrete logarithm problem on the cyclic group G. Thus, high security is ensured.

[Modification 1 of First Embodiment]

Next, modification 1 of the first embodiment will be described.
According to the first embodiment, the secret information θ · g ∈ G, which is an element of the cyclic group G, is shared by secret sharing. However, the element θ of the finite field F_q (θ ∈ F_q) can be shared by secret sharing. In that case, the share information SH(α, h(α)) shared according to the (R(α), H(α)) threshold secret sharing scheme includes an element f(α, φ(h(α))) of the finite field F_q (f(α, φ(h(α))) ∈ F_q) provided that x is a variable that is an element of the finite field F_q, an R(α)-1-th order polynomial that satisfies a relation f(α, ω) = θ for a predetermined element ω of the finite field F_q (ω ∈ F_q) is expressed as f(α, x) ∈ F_q, and the index for h(α) is φ(h(α)).
Fig. 11A is a diagram for illustrating a configuration of a secret sharing unit 214-α according to modification 1 of the first embodiment, and Fig. 11B is a diagram for illustrating a configuration of a share secret value generation unit 224-α-h(α) according to modification 1 of the first embodiment. In these drawings, the same parts as those in the first embodiment are denoted by the same reference numerals as those in the first embodiment.
A secret sharing system 2 according to modification 1 of the first embodiment comprises a sharing apparatus 210 that replaces the sharing apparatus 110 and share management apparatuses 220-α-h(α) (α = 1, ..., L) that replace the share management apparatuses 120-α-h(α) (α = 1, ..., L). The secret sharing units 114-α (α = 1, ..., L) are replaced by secret sharing units 214-α (α = 1, ..., L) shown in Fig. 11A, and the share secret value generation units 124-α-h(α) (α = 1, ..., L) are replaced by share secret value generation units 224-α-h(α) (α = 1, ..., L) shown in Fig. 11B. The remainder of the configuration is the same as that according to the first embodiment.

«Modification of Step S 112 according to Modification 1 of First Embodiment»

According to modification 1 of the first embodiment, the processing of Step S 112 shown in Fig. 8B is modified as described below.
First, Steps S 112a and S 112b shown in Fig. 8B are performed. Then, instead of Step S112c, a sharing processing unit 214c-α of the secret sharing unit 214-α (Fig. 11A) generates pieces of share information SH(α, h(α)) described below using the polynomial f(α, x) ∈ F_q and the indexes φ(h(α)) ∈ Fq and outputs the share information. $SH (α, h (α)) = (φ (h (α)), f (α, φ (h (α))))$

«Modification of Step S124 according to Modification 1 of First Embodiment»

According to modification 1 of the first embodiment, the processing of Step S 124 shown in Fig. 9B is modified as described below.
First, instead of Step S124a, the common value σ(α), the provided information v and f(α, φ(h(α))) of the share information SH(α, h(α)) = (φ(h(α)), f(α, φ(h(α)))) are input to a linear calculation unit 224a-α-h(α) (Fig. 11B), and the linear calculation unit 224a-α-h(α) performs the following calculation and outputs the calculation result dsh(α, φ(h(α))) ∈ G. $dsh (α, φ (h (α))) = σ (α) \cdot v \cdot f (α, φ (h (α))) \cdot g \in G$

The calculation result dsh(α, φ(h(α))) ∈ G is information that is part of the share secret value DSH(α, h(α)). Then, the processing of Step S124b shown in Fig. 9B is performed (this is the end of the description of «Modification of Step S124 according to Modification 1 of First Embodiment»). The remainder of the processing is the same as that in the first embodiment.

[Modification 2 of First Embodiment]

Next, modification 2 of the first embodiment will be described.
According to modification 2 of the first embodiment, again, an element θ of the finite field F_q (θ ∈ F_q) is shared. The modification 2 of the first embodiment differs from modification 1 in that the calculation result dsh(α, φ(h(α))) is not an element of the cyclic group but an element of the finite field F_q.
Fig. 12A is a diagram for illustrating a configuration of a share secret value generation unit 324-α-h(α) according to modification 2 of the first embodiment, and Fig. 12B is a diagram for illustrating a configuration of a reconstruction unit 334-α according to modification 2 of the first embodiment. In these drawings, the same parts as those in the first embodiment are denoted by the same reference numerals as those in the first embodiment.
A secret sharing system 3 according to modification 2 of the first embodiment comprises the sharing apparatus 210 that replaces the sharing apparatus 110, share management apparatuses 320-α-h(α) (α = 1, ..., L) that replace the share management apparatuses 120-α-h(α) (α = 1, ..., L), and an acquisition apparatus 330 that replaces the acquisition apparatus 130. The share secret value generation units 124-α-h(α) (α = 1, ..., L) are replaced by the share secret value generation units 324-α-h(α) (α = 1, ..., L) shown in Fig. 12A, and the reconstruction units 134-α (α = 1, ..., L) are replaced by the reconstruction units 334-α (α = 1, ..., L) shown in Fig. 12B. The remainder of the configuration is the same as that according to the first embodiment.

«Modification of Step S 112 according to Modification 2 of First Embodiment»

Step S 112 is modified in the same way as in modification 1 of the first embodiment.

«Modification of Step S 124 according to Modification 2 of First Embodiment»

According to modification 2 of the first embodiment, the processing of Step S 124 shown in Fig. 9B is modified as described below.
First, instead of Step S124a, the common value σ(α), the provided information v and f(α, φ(h(α))) of the share information SH(α, h(α)) = (φ(h(α)), f(α, φ(h(α)))) are input to a linear calculation unit 324a-α-h(α) (Fig. 12A), and the linear calculation unit 324a-α-h(α) performs the following calculation and outputs the calculation result dsh(α, φ(h(α))) ∈ F_q. $dsh (α, φ (h (α))) = σ (α) \cdot v \cdot f (α, φ (h (α))) \in F_{q}$

The calculation result dsh(α, φ(h(α))) ∈ Fq is information that is part of the share secret value DSH(α, h(α)). Then, the processing of Step S124b shown in Fig. 9B is performed.

«Modification of Step S 134 according to Modification 2 of First Embodiment»

First, the processing of Step S 134a shown in Fig. 10B is performed. Then, instead of Step S134b shown in Fig. 10B, each coefficient λ_ρ(x) and dsh₁(α), ..., dsh_R(α)(α) of DSH(α, φ₁(α)), ..., DSH(α, φ_R(α)(α)) expressed by formula (8) are input to a polynomial calculation unit 334b-α (Fig. 12B), and the polynomial calculation unit 334b-α generates the reconstructed secret value SUBSK(α) for the subset SUB(α) by performing the following calculation. $SUBSK (α) = \{λ_{1} (ω) \cdot {dsh}_{1} (α) + \dots + λ_{R (α)} (ω) \cdot {dsh}_{R (α)} (α)\} \cdot g \in G$

The polynomial calculation unit 334b-α outputs the reconstructed secret value SUBSK(α) for the subset SUB(α) (this is the end of the description of «Modification of Step S 134 according to Modification 2 of First Embodiment»). The remainder of the processing is the same as that in the first embodiment.

[Modification 3 of First Embodiment]

According to modification 3 of the first embodiment, instead of the (R(α), H(α)) threshold secret sharing scheme, an (H(α), H(α)) threshold secret sharing scheme is used to share secret information.
Fig. 13A is a diagram for illustrating a configuration of a secret sharing unit 414-α according to modification 3 of the first embodiment, Fig. 13B is a diagram for illustrating a configuration of a share secret value generation unit 424-α-h(α) according to modification 3 of the first embodiment, and Fig. 13C is a diagram for illustrating a configuration of a reconstruction unit 434-α according to modification 3 of the first embodiment.
A secret sharing system 4 according to modification 3 of the first embodiment comprises a sharing apparatus 410 that replaces the sharing apparatus 110, a share management apparatuses 420-α-h(α) (α = 1, ..., L) that replace the share management apparatuses 120-α-h(α) (α = 1, ..., L), and an acquisition apparatus 430 that replaces the acquisition apparatus 130. The secret sharing units 114-α (α = 1, ..., L) are replaced by the secret sharing units 414-α (α = 1, ..., L) shown in Fig. 13A, the share secret value generation units 124-α-h(α) (α = 1, ..., L) are replaced by the share secret value generation units 424-α-h(α) (α = 1, ..., L) shown in Fig. 13B, and the reconstruction units 134-α (α = 1, ..., L) are replaced by the reconstruction units 434-α (α = 1, ..., L) shown in Fig. 13C. The remainder of the configuration is the same as that according to the first embodiment.

«Modification of Step S 112 according to Modification 3 of First Embodiment»

According to modification 3 of the first embodiment, the processing of Step S 112 shown in Fig. 8B is modified as described below.
First, a random number generation unit 414a-α of the secret sharing unit 414-α (Fig. 13A) randomly selects H(α)-1 elements of the cyclic group G described below and outputs the elements. $SH (α) (1), \dots, SH (α, H (α) - 1) \in G$
Then, the secret information θ · g ∈ G and the H(α)-1 elements SH(α, 1), ..., SH(α, H(α)-1) of the cyclic group G (SH(α, 1), ..., SH(α, H(α)-1) ∈ G) are input to an inverse calculation unit 414b-α. The inverse calculation unit 414b-α generates SH(α, h(α)) by performing the following calculation and outputs SH(α, h(α)). $SH (α, h (α)) = θ \cdot g - \{SH (α) (1) + \dots + SH (α, H (α) - 1)\} \in G$
The secret sharing unit 414-α outputs the following information as share information for the subset SUB(α). $SH (α) (1), \dots, SH (α, H (α)) \in G$

The share information satisfies the following relation. $SH (α) (1) + SH (α) (2) + \dots + SH (α, H (α)) = θ \cdot g \in G$

«Modification of Step S 124 according to Modification 3 of First Embodiment»

According to modification 3 of the first embodiment, the processing of Step S124 shown in Fig. 9B is modified as described below.
First, the common value σ(α), the provided information v and the share information SH(α, 1), ..., SH(α, H(α)) are input to the share secret value generation unit 424-α-h(α) (Fig. 13B). The share secret value generation unit 424-α-h(α) generates the share secret value DSH(α, h(α)) by performing the following calculation and outputs the share secret value. $DSH (α, h (α)) = σ (α) \cdot v \cdot SH (α, h (α)) \in G$

«Modification of Step S 132 according to Modification 3 of First Embodiment»

According to modification 3 of the first embodiment, the processing of Step S 132 shown in Fig. 10A is modified as described below.
According to modification 3, again, the controller 133 determines whether or not the number of share secret values DSH(α, h(α)) stored in the storage 132 is equal to or greater than a required number, where the "required number" in modification 3 is H(α). That is, according to modification 3, it is determined for each α = 1, ..., L whether or not all the share secret values DSH(α, h(α)) are stored in the storage 132.

«Modification of Step S134 according to Modification 3 of First Embodiment»

According to modification 3 of the first embodiment, the processing of Step S 134 shown in Fig. 10B is modified as described below.
The share secret value DSH(α, h(α)) according to modification 3 is expressed by formula (23). To the reconstruction unit 434-α (Fig. 13C), all the share secret values DSH(α, h(α)) (h(α) = 1, ..., H(α)) for α are input. The reconstruction unit 434-α generates the reconstructed secret value SUBSK(α) for the subset SUB(α) by performing the following calculation and outputs the reconstructed secret value. $SUBSK (α) = DSH (α) (1) + \dots + DSH (α, H (α)) \in G$

The remainder of the processing is the same as that in the first embodiment.

[Modification 4 of First Embodiment]

According to modification 4 of the first embodiment, again, instead of the (R(α), H(α)) threshold secret sharing scheme, the (H(α), H(α)) threshold secret sharing scheme is used to share secret information. Modification 4 differs from modification 3 in that secret information θ ∈ F_q that is an element of the finite field F_q is shared by secret sharing.
Fig. 14A is a diagram for illustrating a configuration of a secret sharing unit 514-α according to modification 4 of the first embodiment, Fig. 14B is a diagram for illustrating a configuration of a share secret value generation unit 524-α-h(α) according to modification 4 of the first embodiment, and Fig. 14C is a diagram for illustrating a configuration of a reconstruction unit 534-α according to modification 4 of the first embodiment.
A secret sharing system 5 according to modification 4 of the first embodiment comprises a sharing apparatus 510 that replaces the sharing apparatus 110, share management apparatuses 520-α-h(α) (α = 1, ..., L) that replace the share management apparatuses 120-α-h(α) (α = 1, ..., L), and an acquisition apparatus 530 that replaces the acquisition apparatus 130. The secret sharing units 114-α (α = 1, ..., L) are replaced by the secret sharing units 514-α (α = 1, ..., L) shown in Fig. 14A, the share secret value generation units 124-α-h(α) (α = 1, ..., L) are replaced by the share secret value generation units 524-α-h(α) (α = 1, ..., L) shown in Fig. 14B, and the reconstruction units 134-α (α = 1, ..., L) are replaced by the reconstruction units 534-α (α = 1, ..., L) shown in Fig. 14C. The remainder of the configuration is the same as that according to the first embodiment.

«Modification of Step S 112 according to Modification 4 of First Embodiment»

According to modification 4 of the first embodiment, the processing of Step S 112 shown in Fig. 8B is modified as described below.
First, a random number generation unit 514a-α of the secret sharing unit 514-α (Fig. 14A) randomly selects H(α)-1 elements of the finite field F_q described below and outputs the elements. $SH (α) (1), \dots, SH (α, H (α) - 1) \in F_{q}$
Then, the secret information θ ∈ F_q and the H(α)-1 elements SH(α, 1), ..., SH(α, H(α)-1) of the finite field F_q (SH(α, 1), ..., SH(α, H(α)-1) ∈ F_q) are input to an inverse calculation unit 514b-α. The inverse calculation unit 514b-α generates SH(α, h(α)) by performing the following calculation and outputs SH(α, h(α)). $SH (α, h (α)) = θ - \{SH (α) (1) + \dots + SH (α, H (α) - 1)\} \in F_{q}$
The secret sharing unit 514-α outputs the following as share information for the subset SUB(α). $SH (α) (1), \dots, SH (α, H (α)) \in F_{q}$

The share information satisfies the following relation. $SH (α) (1) + SH (α) (2) + \dots + SH (α, H (α)) = θ \in F_{q}$

«Modification of Step S 124 according to Modification 4 of First Embodiment»

According to modification 4 of the first embodiment, the processing of Step S 124 shown in Fig. 9B is modified as described below.
First, the common value σ(α), the provided information v and the share information SH(α, 1), ..., SH(α, H(α)) are input to the share secret value generation unit 524-α-h(α) (Fig. 14B). The share secret value generation unit 524-α-h(α) generates the share secret value DSH(α, h(α)) by performing the following calculation and outputs the share secret value. $DSH (α, h (α)) = σ (α) \cdot v \cdot SH (α, h (α)) \in F_{q}$

«Modification of Step S 132 according to Modification 4 of First Embodiment»

Step S 132 is modified in the same way as in modification 3 of the first embodiment.

«Modification of Step S 134 according to Modification 4 of First Embodiment»

According to modification 4 of the first embodiment, the processing of Step S 134 shown in Fig. 10B is modified as described below.
The share secret value DSH(α, h(α)) according to modification 4 is expressed by formula (29). To the reconstruction unit 534-α (Fig. 14C), all the share secret values DSH(α, h(α)) (h(α) = 1, ..., H(α)) for α are input. The reconstruction unit 534-α generates the reconstructed secret value SUBSK(α) for the subset SUB(α) by performing the following calculation and outputs the reconstructed secret value. $SUBSK (α) = \{DSH (α) (1) + \dots + DSH (α, H (α))\} \cdot g \in G$

The remainder of the processing is the same as that in the first embodiment.

[Other Modifications of First Embodiment]

Various other modifications can be made without departing from the spirit of the present invention. For example, the calculation expressed by the following formula (31) can be performed instead of formula (29) in modification 4 of the first embodiment, and the calculation expressed by formula (24) can be performed instead of the calculation expressed by formula (30). $DSH (α, h (α)) = σ (α) \cdot v \cdot SH (α, h (α)) \in F_{q}$

The reconstructed secret value SUBSK(α) can be an element of the finite field F_q.
Although the same secret sharing scheme is used for the subsets SUB(α) in this embodiment, different secret sharing schemes can also be used for different subsets SUB(α).
Although the common value generation apparatus 140-α is provided for each subset SUB(α) in this embodiment, any one of the share management apparatuses in each subset SUB(α) can have the function of the common value generation apparatus. In that case, the common value generation apparatus 140-α is unnecessary.
In this embodiment, the share secret value DSH(α, h(α)) is generated by performing the common calculation FNC1 using the share information SH(α, h(α)) and the common information including the common value σ(α) and the provided information v. However, the share secret value DSH(α, h(α)) can also be generated without using the provided information v by using the common value σ(α) alone as the common information. The common information can also include other information as well as the common value σ(α) and the provided information v.
Although the same common calculation for determining the share secret value DSH(α, h(α)) has to be used in each subset SUB(α), different common calculations can be used in different subsets SUB(α).

[Second Embodiment]

Next, a second embodiment of the present invention will be described. This embodiment is an application of the first embodiment to key generation in functional encryption.

Terms and symbols used in the description of this embodiment will be defined below.
Matrix: the term "matrix" means a rectangular array of elements of a set for which a calculation is defined. Not only elements of a ring but also elements of a group can form the matrix.

(●)^T: (●)^T represents a transposed matrix of ●.
(●)^-1: (●)^-1 represents an inverse matrix of ●.
∧: ∧ is a logical symbol that represents logical conjunction (AND).
∨: ∨ is a logical symbol that represents logical disjunction (OR).
¬: ¬ is a logical symbol that represents negation (NOT).

Z: Z represents the integer set.
sec: sec represents a security parameter (sec ∈ Z, sec > 0).
0*: 0* represents a string of * 0s.
1*: 1* represents a string of * 1s.
F_q: F_q represents a finite field having an order q (same definition as in the first embodiment).
0_F: 0_F represents an additive identity of the finite field F_q (same definition as in the first embodiment).
1_F: 1_F represents a multiplicative identity of the finite field F_q (same definition as in the first embodiment).
δ(i, j): δ(i, j) represents a Kronecker delta function. δ(i, j) = 1_F when i = j, and δ(i, j) = 0_F when i ≠ j.
E: E represents an elliptic curve defined on the finite field F_q (same definition as in the first embodiment).
A finite set comprising rational points on the elliptic curve E has a subgroup having an order p (p ≥ 1). For example, provided that the number of elements of the finite set comprising rational points on the elliptic curve E is denoted by #E, and p is a large prime number that divides #E, a finite set E[p] consisting of p-division points on the elliptic curve E forms a subgroup of the finite set consisting of the rational points on the elliptic curve E. The "p-division points on the elliptic curve E" means those of the points A on the elliptic curve E whose elliptic curve scalar products p · A on the elliptic curve E satisfy a relation p · A = O.
G₁, G₂, G_T: G₁, G₂ and G_T each represent a cyclic group having an order q. Specific examples of the cyclic groups G₁ and G₂ include the finite set E[p] comprising p-division points on the elliptic curve E and a subgroup thereof. G₁ may be the same as G₂ (G₁ = G₂) or differ from G₂ (G₁ ≠ G₂). Specific examples of the cyclic group G_T include a finite set forming an extension field of the finite field F_q, which is a prime field. One example is a finite set consisting of p-th roots of 1 in an algebraic closure of the finite field F_q. The security is improved if the cyclic groups G₁, G₂ and G_T and the finite field F_q have the same order.
In this embodiment, calculations defined on the cyclic groups G₁ and G₂ are additively expressed, and a calculation defined on the cyclic group G_T is multiplicatively expressed. For example, χ · Ω ∈ G₁ for χ ∈ F_q and Ω ∈ G₁ means that a calculation defined on the cyclic group G₁ is performed χ times on Ω ∈ G₁, and Ω₁ + Ω₂ ∈ G₁ for Ω₁ and Ω₂ ∈ G means that a calculation defined on the cyclic group G₁ is performed on operands Ω₁ ∈ G₁ and Ω₂ ∈ G₁. Similarly, χ · Ω ∈ G₂ for χ ∈ F_q and Ω ∈ G₂ means that a calculation defined on the cyclic group G₂ is performed χ times on Ω ∈ G₂, and Ω₁ + Ω₂ ∈ G₂ for Ω₁ and Ω₂ ∈ G₂ means that a calculation defined on the cyclic group G₂ is performed on operands Ω₁ ∈ G₂ and Ω₂ ∈ G₂. On the other hand, Ω^χ ∈ G_T for χ ∈ F_q and Ω ∈ G_T means that a calculation defined on the cyclic group G_T is performed χ times on Ω ∈ G_T, and Ω₁ · Ω₂ ∈ G_T for Ω₁ and Ω₂ ∈ G_T means that a calculation defined on the cyclic group G₁ is performed on operands Ω₁ ∈ G_T and Ω₂ ∈ G_T.
Ψ: Ψ represents an integer equal to or greater than 1.
Ψ: Ψ represents an integer equal to or greater than 0 and equal to or smaller than Ψ (ψ = 0, ..., Ψ).
λ: λ represents an integer equal to or greater than 1 and equal to or smaller than Ψ (λ = 1, ..., Ψ).
n(ψ): n(ψ) represents an integer equal to or greater than 1.
ζ(ψ): ζ(ψ) represents an integer equal to or greater than 0.
G₁ ^n(ψ)+ζ(ψ): G₁ ^n(ψ)+ζ(ψ) represents a direct product of n(ψ)+ζ(ψ) cyclic groups G₁.
G₂ ^n(ψ)+ζ(ψ): G₂ ^n(ψ)+ζ(ψ) represents a direct product of n(ψ)+ζ(ψ) cyclic groups G₂.
g₁, g₂, g_T: g₁, g₂ and g_T represent generators of the cyclic groups G₁, G₂ and G_T, respectively.
V(ψ): V(ψ) represents an n(ψ)+ζ(ψ)-dimensional vector space formed by a direct product of n(ψ)+ζ(ψ) cyclic groups G₁.
V*(ψ): V*(ψ) represents an n(ψ)+ζ(ψ)-dimensional vector space formed by a direct product of n(ψ)+ζ(ψ) cyclic groups G₂.
e_ψ: e_ψ represents a nondegenerate bilinear map that maps a direct product G₁ ^n(ψ)+ζ(ψ) × G₂ ^n(ψ)+ζ(ψ) of the direct product G₁ ^n(ψ)+ζ(ψ) and the direct product G₂ ^{n(ψ)+ζ(ψ))} to the cyclic group G_T. The bilinear map e_ψ outputs one element of the cyclic group G_T in response to input of n(ψ)+ζ(ψ) elements γ_β (β = 1, ..., n(ψ) + ζ(ψ)) of the cyclic group G₁ and n(ψ)+ζ(ψ) elements γ_β* (β = 1, ... n(ψ) + ζ(ψ)) of the cyclic group G₂. $e_{ψ} : {G_{1}}^{n (ψ) + ζ (ψ)} \times {G_{2}}^{n (ψ) + ζ (ψ)} \to G_{T}$

The bilinear map e_ψ has the following properties.

[Bilinearlity]

The bilinear map e_ψ satisfies the following relation for any elements of Γ₁ ∈ G₁ ^n(ψ)+ζ(ψ), Γ₂ ∈ G₂ ^n(ψ)+ζ(ψ), and ν, κ ∈ F_q. $e_{ψ} (ν \cdot Γ_{1}, κ \cdot Γ_{2}) = e_{ψ} {(Γ_{1}, Γ_{2})}^{ν \cdot κ}$

[Nondegenerateness]

The bilinear map e_ψ is not a map that maps all the elements of Γ₁ ∈ G₁ ^n(ψ)+ζ(ψ) and Γ₂ ∈ G₂ ^n(ψ)+ζ(ψ) to the identity element of the cyclic group G_T.

[Computability]

There is an efficient calculation algorithm for e_ψ(Γ₁, Γ₂) for any of the following elements. $Γ_{1} \in {G_{1}}^{n (ψ) + ζ (ψ)}, Γ_{2} \in {G_{2}}^{n (ψ) + ζ (ψ)}$
According to this embodiment, a nondegenerate bilinear map that maps the direct current G₁ x G₂ of the cyclic groups G₁ and G₂ to the cyclic group G_T shown below is used to provide the bilinear map e_ψ. $Pair : G_{1} \times G_{2} \to G_{T}$

The bilinear map e_ψ according to this embodiment outputs one element of the cyclic group G_T in response to input of an n(ψ)+ζ(ψ)-dimensional vector (γ₁, ..., γ_n(ψ)+ζ(ψ)) formed by n(ψ)+ζ(ψ) elements γ _β (β = 1, ..., n(ψ)+ζ(ψ)) of the cyclic group G₁ and an n(ψ)+ζ(ψ)-dimensional vector (γ₁ ^*, ..., γ_n(ψ)+ζ(ψ) ^*) formed by n(ψ)+ζ(ψ) elements γ _β ^* (β = 1, ... n(ψ)+ζ(ψ)) of the cyclic group G₂. $e_{ψ} : {\prod_{β = 1}}^{n (ψ) + ζ (ψ)} Pair (γ_{β}, {γ_{β}}^{*})$

The bilinear map Pair outputs one element of the cyclic group G_T in response to a set of one element of the cyclic group G₁ and one element of the cyclic group G₂. The bilinear map Pair has the following properties.

[Bilinearlity]

The bilinear map Pair satisfies the following relation for any elements of Ω₁ ∈ G₁, Ω₂ ∈ G₂, and ν, κ ∈ F_q. $Pair (ν \cdot Ω_{1}, κ \cdot Ω_{2}) = Pair {(Ω_{1}, Ω_{2})}^{v \cdot κ}$

[Nondegenerateness]

The bilinear map Pair is not a map that maps all the elements of $Ω_{1} \in G_{1}, Ω_{2} \in G_{2}$

to the identity element of the cyclic group G_T.

[Computability]

There is an efficient calculation algorithm for Pair(Ω₁, Ω₂) for any of the elements of Ω₁ ∈ G₁ and Ω₂ ∈ G₂.
Specific examples of the bilinear map Pair include functions for pairing calculations, such as Weil pairing and Tate pairing (see Reference literature 4 (Alfred. J. Menezes, "ELLIPTIC CURVE PUBLIC KEY CRYPTOSYSTEMS," KLUWER ACADEMIC PUBLISHERS, ISBN0-7923-9368-6, pp. 61 to 81), for example). Depending on the type of the elliptic curve E, a modified pairing function e(Ω₁, phi(Ω₂)) (Ω₁ ∈ G₁, Ω₂ ∈ G₂) that is a combination of a function for a pairing calculation, such as Tate pairing, and a predetermined function phi may be used as the bilinear map Pair (see Reference literature 2, for example). An algorithm for performing the paring calculation on a computer is the well-known Millers algorithm (see Reference literature 5 (V. S. Miller, "Short Programs for functions on Curves," 1986, Internet <http://crypto.stanford.edu/miller/miller.pdf>). Methods for forming an elliptic curve or a cyclic group that improves efficiency of the pairing calculation are well-known (see Reference literature 2, Reference literature 6 (A. Miyaji, M. Nakabayashi, S.Takano, "New explicit conditions of elliptic curve Traces for FR-Reduction," IEICE Trans. Fundamentals, vol. E84-A, no05, pp. 1234 to 1243, May 2001), Reference literature 7 (P. S. L. M. Barreto, B. Lynn, M. Scott, "Constructing elliptic curves with prescribed embedding degrees," Proc. SCN '2002, LNCS 2576, pp. 257 to 267, Springer-Verlag. 2003), and Reference literature 8 (R. Dupont, A. Enge, F. Morain, "Building curves with arbitrary small MOV degree over finite prime fields," http://eprint.iacr.org/2002/094/), for example).
a_i(ψ) (i=1, ..., n(ψ) + ζ(ψ)): a_i(ψ) represent n(ψ)+ζ(ψ)-dimensional basis vectors each consisting of n(ψ)+ζ(ψ) elements of the cyclic group G₁. For example, the basis vectors a_i(ψ) are n(ψ)+ζ(ψ)-dimensional vectors the i-th elements of which are κ₁ · g₁ ∈ G₁ and the remaining n(ψ)+ζ(ψ)-1 elements of which are the identity elements of the cyclic group G₁ (expressed as "0" in additive terms). In this example, the elements of the n(ψ)+ζ(ψ)-dimensional basis vectors a_i(ψ) (i = 1, ..., n(ψ) + ζ(ψ)) are expressed as follows. $\begin{array}{l} a_{1} (ψ) = (κ_{1} \cdot g_{1}, 0, 0, \dots, 0) \\ a_{2} (ψ) = (0, κ_{1} \cdot g_{1}, 0, \dots, 0) \\ \dots \\ a_{n (ψ) + ζ (ψ)} (ψ) = (0, 0, 0, \dots, κ_{1} \cdot g_{1}) \end{array}$

κ₁ represents a constant that is an element of the finite field F_q other than the additive identity 0_F, and a specific example of κ₁ ∈ F_q is κ₁ = 1_F. The basis vectors a_i(ψ) are orthogonal bases, and any n(ψ)+ζ(ψ)-dimensional vector consisting of n(ψ)+ζ(ψ) elements of the cyclic group G₁ is expressed by a linear sum of the n(ψ)+ζ(ψ)-dimensional basis vectors a_i(ψ) (i = 1, ..., n(ψ) + ζ(ψ)). That is, the n(ψ)+ζ(ψ)-dimensional basis vectors a_i(ψ) span the vector space V(ψ).
a_i ^*(ψ) (i = 1, ..., n(ψ) + ζ(ψ)): a_i ^*(ψ) represent n(ψ)+ζ(ψ)-dimensional basis vectors each consisting of n(ψ)+ζ(ψ) elements of the cyclic group G₂. For example, the basis vectors a_i ^*(ψ) are n(ψ)+ζ(ψ)-dimensional vectors the i-th elements of which are κ₂ · g₂ ∈ G₂ and the remaining n(ψ)+ζ(ψ)-1 elements of which are the identity elements of the cyclic group G₂ (expressed as "0" in additive terms). In this example, the elements of the n(ψ)+ζ(ψ)-dimensional basis vectors a_i ^*(ψ) (i = 1, ..., n(ψ) + ζ(ψ)) are expressed as follows. $\begin{array}{l} {a_{1}}^{*} (ψ) = (κ_{2} \cdot g_{2}, 0, 0, \dots, 0) \\ {a_{2}}^{*} (ψ) = (0, κ_{2} \cdot g_{2}, 0, \dots, 0) \\ \dots \\ {a_{n (ψ) + ζ (ψ)}}^{*} (ψ) = (0, 0, 0, \dots, κ_{2} \cdot g_{2}) \end{array}$

κ₂ represents a constant that is an element of the finite field F_q other than the additive identity 0_F, and a specific example of κ₂ ∈ F_q is κ₂ = 1_F. The basis vectors a_i ^*(ψ) are orthogonal bases, and any n(ψ)+ζ(ψ)-dimensional vector consisting of n(ψ)+ζ(ψ) elements of the cyclic group G₂ is expressed by a linear sum of the n(ψ)+ζ(ψ)-dimensional basis vectors a_i ^*(ψ) (i = 1, ..., n(ψ) + ζ(ψ)). That is, the n(ψ)+ζ(ψ)-dimensional basis vectors a_i ^*(ψ) span the vector space V^*(ψ).
The basis vectors a_i(ψ) and a_i ^*(ψ) satisfy the following relation with respect to the elements τ = κ₁ · κ₂ of the finite field F_q other than 0_F. $e_{ψ} (a_{i} (ψ), {a_{j}}^{*} (ψ)) = {g_{T}}^{τ \cdot δ (i, j)}$

That is, if i = j, the following relation holds from the relations expressed by formulas (36) and (37). $\begin{array}{l} e_{ψ} (a_{i} (ψ), {a_{j}}^{*} (ψ)) = Pair (κ_{1} \cdot g_{1}, κ_{2} \cdot g_{2}) \cdot Pair (0, 0) \cdot \dots \cdot Pair (0, 0) \\ = Pair {(g_{1}, g_{2})}^{κ_{1} \cdot κ_{2}} \cdot {Pair (g_{1}, g_{2})}^{0 \cdot 0} \cdot \dots \cdot {Pair (g_{1}, g_{2})}^{0 \cdot 0} \\ = Pair {(g_{1}, g_{2})}^{κ_{1} \cdot κ_{2}} = {g_{T}}^{τ} \end{array}$

The superscripts κ1 and κ2 represent κ₁ and κ₂, respectively.
On the other hand, if i ≠ j, the right side of e_ψ(a_i(ψ), a_j ^*(ψ)) = Π_i=1 ^n(ψ)+ζ(ψ) Pair(a_i(ψ), a_j ^*(ψ)) does not include Pair(κ₁ · g₁, κ₂ · g₂) but is the product of Pair(κ₁ · g₁, 0), Pair(0, κ₂ · g₂) and Pair(0, 0). Furthermore, from the relation expressed by formula (37), a relation holds: Pair(g₁, 0) = Pair(0, g₂) = Pair(g₁, g₂)⁰. Therefore, if i ≠ j, the following relation holds. $e_{ψ} (a_{i} (ψ), {a_{j}}^{*} (ψ)) = e_{ψ} {(g_{1}, g_{2})}^{0} = {g_{T}}^{0}$
In particular, if τ = κ₁ · κ₂ = 1_F (if κ₁ = κ₂ = 1_F, for example), the following relation holds. $e (a_{i} (ψ), {a_{j}}^{*} (ψ)) = {g_{T}}^{δ (i, j)}$

g_T ⁰ = 1 is the identity element of the cyclic group G_T, and g_T ¹ = g_T is the generator of the cyclic group G_T. The basis vectors a_i(ψ) and a_i ^*(ψ) are dual normal orthogonal bases, and the vector spaces V(ψ) and V^*(ψ) are dual vector spaces capable of forming a bilinear map (dual pairing vector spaces (DPVSs)).
A(ψ): A(ψ) represents an n(ψ)+ζ(ψ) row by n(ψ)+ζ(ψ) column matrix consisting of the basis vectors a_i(ψ) (i = 1, ..., n(ψ) + ζ(ψ)). For example, if the basis vectors a_i(ψ) (i = 1, ..., n(ψ) + ζ(ψ)) are expressed by formula (39), the matrix A(ψ) is expressed as follows. $A (ψ) = (\begin{matrix} a_{1} (ψ) \\ a_{2} (ψ) \\ ⋮ \\ a_{n (ψ) + ζ (ψ)} (ψ) \end{matrix}) = (\begin{matrix} κ_{1} \cdot g_{1} & 0 & \dots & 0 \\ 0 & κ_{1} \cdot g_{1} & ⋮ \\ ⋮ & ⋱ & 0 \\ 0 & \dots & 0 & κ_{1} \cdot g_{1} \end{matrix})$
A^*(ψ): A^*(ψ) represents an n(ψ)+ζ(ψ) row by n(ψ)+ζ(ψ) column matrix consisting of the basis vectors a_i ^*(ψ) (i = 1, ..., n(ψ) + ζ(ψ)). For example, if the basis vectors a_i ^*(ψ) (i = 1, ..., n(ψ) + ζ(ψ)) are expressed by formula (40), the matrix A^*(ψ) is expressed as follows. $A^{*} (ψ) = (\begin{matrix} {a_{1}}^{*} (ψ) \\ {a_{2}}^{*} (ψ) \\ ⋮ \\ {a_{n (ψ) + ζ (ψ)}}^{*} (ψ) \end{matrix}) = (\begin{matrix} κ_{2} \cdot g_{2} & 0 & \dots & 0 \\ 0 & κ_{2} \cdot g_{2} & ⋮ \\ ⋮ & ⋱ & 0 \\ 0 & \dots & 0 & κ_{2} \cdot g_{2} \end{matrix})$
X(ψ): X(ψ) represents an n(ψ)+ζ(ψ) row by n(ψ)+ζ(ψ) column matrix consisting of the elements of the finite field F_q. The matrix X(ψ) is used for coordinate transformation of the basis vectors a_i(ψ). If i rows by j columns of elements of the matrix X(ψ) (i = 1, ..., n(ψ) + ζ(ψ), j = 1, ..., n(ψ) + ζ(ψ)) are denoted by χ_i,j(ψ) ∈ F_q, the matrix X(ψ) is expressed as follows. $X (ψ) = (\begin{matrix} χ_{1, 1} (ψ) & χ & _{1, 2} (ψ) & \dots & χ_{1, n (ψ) + ζ (ψ)} (ψ) \\ χ_{2, 1} (ψ) & χ & _{2, 2} (ψ) & ⋮ \\ ⋮ & ⋱ & ⋮ \\ χ_{n (ψ) + ζ (ψ), 1} (ψ) & χ_{n (ψ) + ζ (ψ), 2} (ψ) & \dots & χ_{n (ψ) + ζ (ψ), n (ψ) + ζ (ψ)} (ψ) \end{matrix})$

Each element χ_i,j(ψ) of the matrix X(ψ) is referred to as a transformation coefficient.
X^*(ψ): X^*(ψ) represents a matrix that satisfies a relation: X^*(ψ) = τ' · (X(ψ)^-1)^T _. τ' ∈ F_q is an arbitrary constant belonging to the finite field F_q, e.g., τ' = 1_F. The matrix X^*(ψ) is used for coordinate transformation of the basis vectors a_i ^*(ψ). If i rows by j columns of elements of the matrix X^*(y) are denoted by χ_i,J ^*(ψ) ∈ F_q, the matrix X^*(ψ) is expressed as follows. $X^{*} (ψ) = (\begin{matrix} {χ_{1, 1}}^{*} (ψ) & χ & {_{1, 2}}^{*} (ψ) & \dots & {χ_{1, n (ψ) + ζ (ψ)}}^{*} (ψ) \\ χ \\ {_{2, 1}}^{*} (ψ) & χ & {_{2, 2}}^{*} (ψ) & ⋮ \\ ⋮ & ⋱ & ⋮ \\ {χ_{n (ψ) + ζ (ψ), 1}}^{*} (ψ) & {χ_{n (ψ) + ζ (ψ), 2}}^{*} (ψ) & \dots & {χ_{n (ψ) + ζ (ψ), n (ψ) + ζ (ψ)}}^{*} (ψ) \end{matrix})$

Each element χ_i,j*(ψ) of the matrix X^*(ψ) is referred to as a transformation coefficient.
In this case, provided that a unit matrix with n(ψ)+ζ(ψ) rows and n(ψ)+ζ(ψ) columns is denoted by I(ψ), a relation holds: X(ψ)·(X^*(ψ))^T = τ'· I(ψ). That is, the unit matrix is defined as follows. $I (ψ) = (\begin{matrix} 1_{F} & 0_{F} & \dots & 0_{F} \\ 0_{F} & 1_{F} & ⋮ \\ ⋮ & ⋱ & 0_{F} \\ 0_{F} & 0_{F} & \dots & 1_{F} \end{matrix})$

With regard to this, the following relation holds. $\begin{array}{l} (\begin{matrix} χ_{1, 1} (ψ) & χ & _{1, 2} (ψ) & \dots & χ_{1, n (ψ) + ζ (ψ)} (ψ) \\ χ_{2, 1} (ψ) & χ & _{2, 2} (ψ) & ⋮ \\ ⋮ & ⋱ & ⋮ \\ χ_{n (ψ) + ζ (ψ), 1} (ψ) & χ_{n (ψ) + ζ (ψ), 2} (ψ) & \dots & χ_{n (ψ) + ζ (ψ), n (ψ) + ζ (ψ)} (ψ) \end{matrix}) \\ \times (\begin{matrix} {χ_{1, 1}}^{*} (ψ) & χ & {_{1, 2}}^{*} (ψ) & \dots & {χ_{1, n (ψ) + ζ (ψ)}}^{*} (ψ) \\ χ \\ {_{2, 1}}^{*} (ψ) & χ & {_{2, 2}}^{*} (ψ) & ⋮ \\ ⋮ & ⋱ & ⋮ \\ {χ_{n (ψ) + ζ (ψ), 1}}^{*} (ψ) & {χ_{n (ψ) + ζ (ψ), 2}}^{*} (ψ) & \dots & {χ_{n (ψ) + ζ (ψ), n (ψ) + ζ (ψ)}}^{*} (ψ) \end{matrix}) \end{array}$
$= τʹ \cdot (\begin{matrix} 1_{F} & 0_{F} & \dots & 0_{F} \\ 0_{F} & 1_{F} & ⋮ \\ ⋮ & ⋱ & 0_{F} \\ 0_{F} & 0_{F} & \dots & 1_{F} \end{matrix})$

The n(ψ)+ζ(ψ)-dimensional vectors are defined as follows. ${χ_{i}}^{\to} (ψ) = (χ_{i, 1} (ψ), \dots, χ_{i, n (ψ) + ζ (ψ)} (ψ))$
${χ_{i}}^{\to *} (ψ) = ({χ_{i, 1}}^{*} (ψ), \dots, {χ_{i, n (ψ) + ζ (ψ)}}^{*} (ψ))$

Then, from the relation expressed by formula (48), the inner product of the n(ψ)+ζ(ψ)-dimensional vectors χ_i ^→(ψ) and χ_j ^→*(ψ) is expressed as follows. ${χ_{i}}^{\to} (ψ) \cdot {χ_{j}}^{\to *} (ψ) = τʹ \cdot δ (i, j)$
b_i(ψ): b_i(ψ) represent n(ψ)+ζ(ψ)-dimensional basis vectors each consisting of n(ψ)+ζ(ψ) elements of the cyclic group G₁. b_i(ψ) are obtained by coordinate transformation of the basis vectors a_i(ψ) (i = 1, ..., n(ψ) + ζ(ψ)) using the matrix X(ψ). More specifically, the basis vectors b_i(ψ) are obtained by the following calculation. $b_{i} (ψ) = {\sum_{j = 1}}^{n (ψ) + ζ (ψ)} χ_{i, j} (ψ) \cdot a_{j} (ψ)$

For example, if the basis vectors a_j(ψ) (j = 1, ..., n(ψ) + ζ(ψ)) are expressed by formula (39), the elements of the basis vectors b_i(ψ) are expressed as follows. $b_{i} (ψ) = (χ_{i, 1} (ψ) \cdot κ_{1} \cdot g_{1}, χ_{i, 2} (ψ) \cdot κ_{1} \cdot g_{1}, \dots, χ_{i, n (ψ) + ζ (ψ)} (ψ) \cdot κ_{1} \cdot g_{1})$

Any n(ψ)+ζ(ψ)-dimensional vector consisting of n(ψ)+ζ(ψ) elements of the cyclic group G₁ is expressed by a linear sum of the n(ψ)+ζ(ψ)-dimensional basis vectors b_i(ψ) (i = 1, ..., n(ψ) + ζ(ψ)). That is, the n(ψ)+ζ(ψ)-dimensional basis vectors b_i(ψ) span the vector space V(ψ) described above.
b_i ^*(ψ): b_i ^*(ψ) represents n(ψ)+ζ(ψ)-dimensional basis vectors each consisting of n(ψ)+ζ(ψ) elements of the cyclic group G₂. b_i ^*(ψ) are obtained by coordinate transformation of the basis vectors a_i ^*(ψ) (i = 1, ..., n(ψ) + ζ(ψ)) using the matrix X^*(ψ). More specifically, the basis vectors b_i ^*(ψ) are obtained by the following calculation. ${b_{i}}^{*} (ψ) = {\sum_{j = 1}}^{n (ψ) + ζ (ψ)} {χ_{i, j}}^{*} (ψ) \cdot {a^{*}}_{j} (ψ)$

For example, if the basis vectors a_j ^*(ψ) (j = 1, ..., n(ψ) + ζ(ψ)) are expressed by formula (40), the elements of the basis vectors b_i ^*(ψ) are expressed as follows. ${b_{i}}^{*} (ψ) = ({χ_{i, 1}}^{*} (ψ) \cdot κ_{2} \cdot g_{1}, {χ_{i, 2}}^{*} (ψ) \cdot κ_{1} \cdot g_{1}, \dots, {χ_{i, n (ψ) + ζ (ψ)}}^{*} (ψ) \cdot κ_{2} \cdot g_{2})$
Any n(ψ)+ζ(ψ)-dimensional vector consisting of n(ψ)+ζ(ψ) elements of the cyclic group G₂ is expressed by a linear sum of the n(ψ)+ζ(ψ)-dimensional basis vectors b_i ^*(ψ) (i = 1, ..., n(ψ) + ζ(ψ)). That is, the n(ψ)+ζ(ψ)-dimensional basis vectors b_i ^*(ψ) span the vector space V^*(ψ) described above.
The basis vectors b_i(ψ) and b_i ^*(ψ) satisfy the following relation with respect to the elements τ = κ₁ · κ₂ of the finite field F_q other than 0_F. $e_{ψ} (b_{i} (ψ), {b_{j}}^{*} (ψ)) = {g_{T}}^{τ \cdot τʹ \cdot δ (i, j)}$

That is, from the relations expressed by formulas (36), (51), (53) and (55), the following relation holds. $\begin{matrix} e_{ψ} (b_{i} (ψ), {b_{j}}^{*} (ψ)) = \prod_{β = 1}^{n (ψ) + ζ (ψ)} Pair (χ_{i, β} (ψ) \cdot κ_{1} \cdot g_{1}, {χ_{j, β}}^{*} (ψ) \cdot κ_{2} \cdot g_{2}) \\ = Pair {(g_{1}, g_{2})}^{κ_{1} \cdot κ_{2} \cdot {χ_{i}}^{\to} (ψ) \cdot {χ_{j}}^{\to *} (ψ)} \\ = Pair {(g_{1}, g_{2})}^{τ \cdot τʹ \cdot δ (i, j)} = {g_{T}}^{τ \cdot τʹ \cdot δ (i, j)} \end{matrix}$

In particular, if τ = κ₁ · κ₂ = 1_F (κ₁ = κ₂ = 1_F, for example) and τ' = 1_F, the following relation holds. $e_{ψ} (b_{i} (ψ), {b_{j}}^{*} (ψ)) = {g_{T}}^{δ (i, j)}$

The basis vectors b_i(ψ) and b_i ^*(ψ) are dual normal orthogonal bases of dual pairing vector spaces (the vector spaces V(ψ) and V^*(ψ)).
If the relation expressed by formula (56) holds, other basis vectors a_i(ψ) and a_i ^*(ψ) than those illustrated by formulas (39) and (40) or other basis vectors b_i(ψ) and b_i ^*(ψ) than those illustrated by formulas (52) and (54) can also be used.
B(ψ): B(ψ) represents an n(ψ)+ζ(ψ) row by n(ψ)+ζ(ψ) column matrix consisting of the basis vectors b_i(ψ) (i = 1, ..., n(ψ) + ζ(ψ)). A relation holds: B(ψ) = X(ψ) · A(ψ). For example, if the basis vectors b_i(ψ) are expressed by formula (53), the matrix B(ψ) is expressed as follows. $\begin{array}{l} B (ψ) = (\begin{matrix} b_{1} (ψ) \\ b \\ _{2} (ψ) \\ ⋮ \\ b_{n (ψ) + ζ (ψ)} (ψ) \end{matrix}) \\ = (\begin{matrix} χ_{1, 1} (ψ) \cdot κ_{1} \cdot g_{1} & \dots & χ_{1, n (ψ) + ζ (ψ)} (ψ) \cdot κ_{1} \cdot g_{1} \\ ⋮ & ⋱ & ⋮ \\ {χ_{n (ψ) + ζ (ψ), 1}}^{*} (ψ) \cdot κ_{1} \cdot g_{1} & \dots & χ_{n (ψ) + ζ (ψ), n (ψ) + ζ (ψ)} (ψ) \cdot κ_{1} \cdot g_{1} \end{matrix}) \end{array}$
B^*(ψ): B^*(ψ) represents an n(ψ)+ζ(ψ) row by n(ψ)+ζ(ψ) column matrix consisting of the basis vectors b_i ^*(ψ) (i = 1, ..., n(ψ) + ζ(ψ)). A relation holds: B^*(ψ) = X^*(ψ) · A^*(ψ). For example, if the basis vectors b_i ^*(ψ) (i = 1, ..., n(ψ) + ζ(ψ)) are expressed by formula (55), the matrix B^*(ψ) is expressed as follows. $\begin{array}{l} B^{*} (ψ) = (\begin{matrix} {b_{1}}^{*} (ψ) \\ b \\ {_{2}}^{*} (ψ) \\ ⋮ \\ {b_{n (ψ) + ζ (ψ)}}^{*} (ψ) \end{matrix}) \\ = (\begin{matrix} {χ_{1, 1}}^{*} (ψ) \cdot κ_{2} \cdot g_{2} & \dots & {χ_{1, n (ψ) + ζ (ψ)}}^{*} (ψ) \cdot κ_{2} \cdot g_{2} \\ ⋮ & ⋱ & ⋮ \\ {χ_{n (ψ) + ζ (ψ), 1}}^{*} (ψ) \cdot κ_{2} \cdot g_{2} & \dots & {χ_{n (ψ) + ζ (ψ), n (ψ) + ζ (ψ)}}^{*} (ψ) \cdot κ_{2} \cdot g_{2} \end{matrix}) \end{array}$
v(λ)^→: v(λ)^→ represent n(λ)-dimensional vectors each consisting of elements of the finite field F_q. ${v (λ)}^{\to} = (v_{1} (λ), \dots, v_{n (λ)} (λ)) \in {F_{q}}^{n (λ)}$

v_µ(λ): v_µ(λ) represent µ-th elements (µ = 1, ..., n(λ)) of the n(λ)-dimensional vectors v(λ)^→.
w(λ)^→: w(λ)^→ represent n(λ)-dimensional vectors each consisting of elements of the finite field F_q. ${w (λ)}^{\to} = (w_{1} (λ), \dots, w_{n (λ)} (λ)) \in {F_{q}}^{n (λ)}$

w_µ(λ): w_µ(λ) represent µ-th elements (µ = 1, ..., n(λ)) of the n(λ)-dimensional vectors w_µ(λ)^→.
Enc: Enc represents a common key encryption function that represents an encryption processing according to the common key cryptography.
Enc_K(M): Enc_K(M) represents a ciphertext obtained by encryption of a plaintext M according to the common key encryption function Enc using a common key K.
Dec: Dec represents a common key decryption function that represents a decryption processing according to the common key cryptography.
Dec_K(C): Dec_K(C) represents a decryption result obtained by decryption of a ciphertext C according to the common key decryption function Dec using the common key K.

Next, a basic configuration of a functional encryption scheme will be described.
The functional encryption scheme is a scheme according to which a ciphertext is decrypted if the truth value of a logical formula determined by a combination of first information and second information is "true." One of the first and second information is embedded in the ciphertext, and the other is embedded in key information. For example, the predicate encryption scheme disclosed in "Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products," with Amit Sahai and Brent Waters One of 4 papers from Eurocrypt 2008 invited to the Journal of Cryptology (Reference literature 9) is a functional encryption scheme.
There are various other well-known functional encryption schemes. In the following, however, a new functional encryption scheme that has not been published yet will be described. According to the new functional encryption scheme described below, a value corresponding to secet information is hierarchically secret-shared in a mode that depends on a predetermined logical formula. The predetermined logical formula includes propositional variables whose truth value are determined by the combination of first information and second information and includes some or all of the logical symbols ∧, ∨ and _¬ as required. If the truth value of the predetermined logical formula determined by the truth values of propositional variables is "true," the value corresponding to the secret value is reconstructed, and the ciphertext is decrypted based on the reconstructed value.

A relationship between the predetermined logical formula and the hierarchical secret sharing will be described.
As described above, according to the (N, N) threshold secret sharing scheme, although the secret information SE can be reconstructed if all the share information share(1), ..., share(N) are given, the secret information SE cannot be obtained at all if N-1 arbitrary pieces of share information share(φ₁), ..., share(φ_N-1) are given. According to the (K_t,N) threshold secret sharing scheme, although the secret information SE can be reconstructed if K_t different arbitrary pieces of share information share(φ₁), ..., share(φ_Kt) are given, the secret information SE cannot be obtained at all if K_t-1 arbitrary pieces of share information share(φ1), ..., share(φ_Kt-1) are given.
These secret sharing schemes can be performed on a field. Furthermore, these schemes can be extended to share a value corresponding to secret information SE into values corresponding to share information, shares, by secret sharing. The value corresponding to secret information SE is the secret information SE itself or a function value of the secret information SE, and values corresponding to the share information, shares, are the pieces of share information, shares, themselves or function values of the share information. For example, an element g_T ^SE ∈ G_T corresponding to secret information SE ∈ F_q that is an element of the finite field F_q can be secret-shared into elements g_T ^share(1), g_T ^share(2) ∈ G_T of the cyclic group G_T that correspond to share information, share (1), share(2) by secret sharing. The secret information SE described above is a linear combination of the share information "share." The secret sharing scheme in which the secret information SE is a linear combination of share information, share, is referred to as a linear secret sharing scheme.
The predetermined logical formula described above can be represented by tree-structure data obtained by hierarchical secret sharing of secret information. That is, according to the De Morgan's laws, the predetermined logical formula described above can be represented by a logical formula comprising literals or a logical formula comprising at least some of the logical symbols ∧ and ∨ and literals (such a logical formula will be referred to as the "normal form logical formula"), and the normal form logical formula can be represented by tree-structure data obtained by hierarchical secret sharing of secret information.
The tree-structure data that represents the normal form logical formula includes a plurality of nodes, at least some of the nodes are parent nodes of one or more child nodes, one of the parent nodes is a root node, and at least some of the child nodes are leaf nodes. A parent node of a root node or a child node of a leaf node does not exist. The root node corresponds to the value corresponding to the secret information, and the child nodes of each parent node correspond to the values corresponding to the pieces of share information obtained by secret sharing of the value corresponding to the parent node. The way of secret sharing in each node (the secret sharing scheme and the threshold) depends on the normal form logical formula. The leaf nodes correspond to literals forming the normal form logical formula, and the truth values of literals are determined by the combination of the first information and the second information.
It is assumed that the value corresponding to the share information corresponding to the leaf node corresponding to the literal whose truth value is true is obtained, although the value corresponding to the share information corresponding to the leaf node corresponding to the literal whose truth value is false is not obtained. Because of the property of the secret sharing described above, the value corresponding to the share information corresponding to the parent node (the value corresponding to the secret information if the parent node is the root node) is reconstructed only if the number of values corresponding to the share information corresponding to the child nodes of the parent node is equal to or greater than the threshold associated with the parent node. Accordingly, whether the value that is dependent on the secret information corresponding to the root node can be recovered or not is ultimately determined by which leaf node's literal has returned true as its truth value and by the configuration (including the way of secret sharing at each node) of the tree-structure data. The tree-structure data represents the normal logical formula if the tree-structure data is configured in such a way that the value dependent on the secret information corresponding to the root node can be ultimately recovered only when the truth values of the literals corresponding to the leaf nodes allow the normal logical formula to return true as its truth value. The tree-structure data that represents the normal form logical formula can be readily set. The following are specific examples thereof.
Fig. 15 is a diagram illustrating tree-structure data that represents a normal form logical formula PRO(1) ∧ PRO(2) ∨ _¬PRO(3) including propositional variables PRO(1) and PRO(2), the negation _¬PRO(3) of a propositional variable PRO(3) and the logical symbols ∧ and v. The tree-structure data illustrated in Fig. 15 includes a plurality of nodes N₁, ..., N₅. The node N₁ is a parent node of the nodes N₂ and N₅, the node N₂ is a parent node of the nodes N₃ and N₄, one node N₁ of the parent nodes is the root node, and some nodes N₃, N₄ and N₅ of the child nodes are leaf nodes. The node N₁ corresponds to the value corresponding to the secret information SE, the child nodes N₂ and N₅ of the node N₁ correspond to the values corresponding to share information SE and SE obtained by secret sharing of the value corresponding to the secret information SE according to a (1, 2) threshold secret sharing scheme. The child nodes N₃ and N₄ of the node N₂ correspond to the values corresponding to share information SE-SH₁ and SH₁ obtained by secret sharing of the value corresponding to the share information SE according to a (2, 2) threshold secret sharing scheme, respectively. That is, the leaf node N₃ corresponds to the value corresponding to share information share(1) = SE - SH₁, the leaf node N₄ corresponds to the value corresponding to share information share(2) = SH₁, and the leaf node N₅ corresponds to the value corresponding to share information share(3) = SE. The leaf nodes N₃, N₄ and N₅ correspond to the literals PRO(1), PRO(2) and _¬PRO(3) forming the normal form logical formula PRO(1) ∧ PRO(2) ∨ _¬PRO(3), respectively, and the truth values of the literals PRO(1), PRO(2) and _¬PRO(3) are determined by the combination of the first information and the second information. The value corresponding to the share information corresponding to the leaf node corresponding to the literal whose truth value is true is obtained, although the value corresponding to the share information corresponding to the leaf node corresponding to the literal whose truth value is false is not obtained. In this case, the value corresponding to the secret information SE is reconstructed only if the combination of the first information and the second information makes the truth value of the normal form logical formula PRO(1) ∧ PRO(2) ∨ a_¬PRO(3) true.
Fig. 16 is a diagram illustrating tree-structure data that represents a normal form logical formula (PRO(1) ∧ PRO(2)) ∨ (PRO(2) ∧ PRO(3)) ∨ (PRO(1) ∧ PRO(3)) ∨ _¬PRO(4) ∨ (_¬PRO(5) ∨ PRO(6)) ∧ PRO(7) including propositional variables PRO(1), PRO(2), PRO(3), PRO(6) and PRO(7), negations _¬PRO(4) and _¬PRO(5) of propositional variables PRO(4) and PRO(5) and logical symbols ∧ and v.
The tree-structure data illustrated in Fig. 16 includes a plurality of nodes N₁, ..., N₁₁. The node N₁ is a parent node of the nodes N₂, N₆ and N₇, the node N₂ is a parent node of the nodes N₃, N₄ and N₅, the node N₇ is a parent node of the nodes N₈ and N₁₁, the node N₈ is a parent node of the nodes N₉ and N₁₀, one node N₁ of the parent nodes is the root node, and some nodes N₃, N₄, N₅, N₆, N₉, N₁₀ and N₁₁ of the child nodes are leaf nodes. The node N₁ corresponds to the value corresponding to the secret information SE, the child nodes N₂, N₆ and N₇ of the node N₁ correspond to the values corresponding to share information SE, SE and SE obtained by secret sharing of the value corresponding to the secret information SE according to a (1, 3) threshold secret sharing scheme. The child nodes N₃, N₄ and N₅ of the node N₂ correspond to the values corresponding to share information (1, f(1)), (2, f(2)) and (3, f(3)) obtained by secret sharing of the value corresponding to the share information SE according to a (2, 3) threshold secret sharing scheme, respectively. The child nodes N₈ and N₁₁ of the node N₇ correspond to the values corresponding to share information SH₄ and SE-SH₄ obtained by secret sharing of the value corresponding to the share information SE according to a (2, 2) threshold secret sharing scheme, respectively. The child nodes N₉ and N₁₀ of the node N₈ correspond to the values corresponding to share information SH₄ and SH₄ obtained by secret sharing of the value corresponding to the share information SH₄ according to a (1, 2) threshold secret sharing scheme, respectively. That is, the leaf node N₃ corresponds to the value corresponding to share information share(1) = (1, f(1)), the leaf node N₄ corresponds to the value corresponding to share information share(2) = (2, f(2)), the leaf node N₅ corresponds to the value corresponding to share information share(3) = (3, f(3)), the leaf node N₆ corresponds to the value corresponding to share information share(4) = SE, the leaf node N₉ corresponds to the value corresponding to share information share(5) = SH₄, the leaf node N₁₀ corresponds to the value corresponding to share information share(6) = SH₄, and the leaf node N₁₁ corresponds to the value corresponding to share information share(7) = SE - SH₄. The leaf nodes N₃, N₄, N₅, N₆, N₉, N₁₀ and N₁₁ correspond to the literals PRO(1), PRO(2), PRO(3), _¬PRO(4), _¬PRO(5), PRO(6) and PRO(7) forming the normal form logical formula (PRO(1) ∧ PRO(2)) ∨ (PRO(2) ∧ PRO(3)) ∨ (PRO(1) ∧ PRO(3)) ∨ _¬PRO(4) ∨ (_¬PRO(5) ∨ PRO(6)) ∧ PRO(7), respectively, and the truth values of the literals PRO(1), PRO(2), PRO(3), _¬PRO(4), _¬PRO(5), PRO(6) and PRO(7) are determined by the combination of the first information and the second information. The values corresponding to the share information corresponding to the leaf node corresponding to the literal whose truth value is true is obtained, although the value corresponding to the share information corresponding to the leaf node corresponding to the literal whose truth value is false is not obtained. In this case, the value corresponding to the secret information SE is reconstructed only if the combination of the first information and the second information makes the truth value of the normal form logical formula (PRO(1) ∧ PRO(2)) ∨ (PRO(2) ∧ PRO(3)) ∨ (PRO(1) ∧ PRO(3)) ∨ _¬PRO(4) ∨ (_¬PRO(5) ∨ PRO(6)) ∧ PRO(7) true.

In the case where the predetermined logical formula is represented by the tree-structure data obtained by hierarchical secret sharing of the secret information as described above, whether the truth value of the logical formula determined by the combination of the first information and the second information is "true" or "false" can be determined based on whether or not the value corresponding to the secret information can be reconstructed from the values corresponding to the share information corresponding to the leaf nodes obtained for the combination of the first information and the second information. In the following, a mechanism that accepts the combination of the first information and the second information if the truth value of the logical formula determined by the combination of the first information and the second information is "true" and rejects the combination of the first information and the second information if the truth value is "false" will be referred to as an access structure.
It is assumed that the total number of leaf nodes in the tree-structure data that represents the predetermined logical formula as described above is denoted by Ψ, and identifiers corresponding to the leaf nodes are denoted by λ = 1, ..., Ψ. It is also assumed that the first information is a set {v(λ)^→}_{λ=1, ..., Ψ} of n(λ)-dimensional vectors v(λ)^→ corresponding to the leaf nodes, and the second information is a set {w(λ)^→}_{λ=1, ..., Ψ} of n(λ)-dimensional vectors w(λ)^→. The tree-structure data described above is implemented as a labeled matrix LMT(MT, LAB).
The labeled matrix LMT(MT, LAB) includes the following matrix MT with Ψ rows and COL columns (COL ≥ 1) and labels LAB(λ) associated with rows λ = 1, ..., Ψ of the matrix MT. $MT = (\begin{matrix} {mt}_{1, 1} & \dots & {mt}_{1, COL} \\ ⋮ & ⋱ & ⋮ \\ {mt}_{Ψ, 1} & \dots & {mt}_{Ψ, COL} \end{matrix})$
Each element mt_λ,col (col = 1, ..., COL) of the matrix MT satisfies two requirements described below. First, if the root node of the tree-structure data that represents the predetermined logical formula corresponds to the value corresponding to the secret information SE ∈ F_q as described above, the following relations hold between a COL-dimensional vector GV^→ consisting of elements of the predetermined finite field F_q and COL-dimensional vector CV^→ consisting of elements of the finite field F_q corresponding to the secret information SE. ${GV}^{\to} = ({gv}_{1} \dots {gv}_{COL}) \in {F_{q}}^{COL}$
${CV}^{\to} = ({cv}_{1} \dots {cv}_{COL}) \in {F_{q}}^{COL}$
$SE = {GV}^{\to} \cdot {({GV}^{\to})}^{T}$

The following is a specific example of the COL-dimensional vector GV^→. ${GV}^{\to} = (1_{F} \dots 1_{F}) \in {F_{q}}^{COL}$

Note that other COL-dimensional vectors GV^→, such as GV^→ = (1_F, 0_F, ..., 0_F) ∈ F_q ^COL, are also possible.
Second, if the leaf nodes corresponding to the identifiers λ, correspond to the values corresponding to the share information share(λ) ∈ F_q, the following relation holds. ${(share (1), \dots, share (Ψ))}^{T} = MT \cdot {({CV}^{\to})}^{T}$

As described above, if the tree-structure data that represents the predetermined logical formula is determined, the matrix MT that satisfies the two requirements can be readily selected. Even if the secret information SE or the share information share(λ) is a variable, the matrix MT that satisfies the two requirements can be readily selected. That is, the value of the secret information SE or the share information share(λ) may be determined after the matrix MT is determined.
The label LAB(λ) associated with each row λ = 1, ..., Ψ of the matrix MT corresponds to the literal (PRO(λ) or _¬PRO(λ)) corresponding to the leaf node corresponding to the identifier λ. It is assumed herein that if the truth value of the propositional variable PRO(λ) is "true", it is equivalent to that the inner product v(λ)^→ · w(λ)^→ of the v(λ)^→ included in the first information VSET1 = {λ, v(λ)^→|λ = 1, ..., Ψ} and w(λ)^→ included in the second information VSET2 = {λ, w(λ)^→|λ = 1, ..., Ψ} is 0, and that if the truth value of the propositional variable PRO(λ) is "false," it is equivalent to that the inner product v(λ)^→ · w(λ)^→ is not 0. It is also assumed that the label LAB(λ) corresponding to PRO(λ) represents v(λ)^→, and the label LAB(λ) corresponding to _¬PRO(λ) represents _¬v(λ)^→. _¬v(λ)^→ is a logical formula of the negation of v(λ)^→, and v(λ)^→ can be identified from _¬v(λ)^→. The expression "LAB(λ) = v(λ)^→" means that LAB(λ) represents v(λ)^→, and the expression "LAB(λ) = _¬v(λ)^→" means that LAB(λ) represents _¬v(λ)^→. A set {LAB(λ)}_{λ=1,..., Ψ} of LAB(λ)'s (λ = 1, ..., Ψ) is expressed as LAB.
A Ψ-dimensional vector TFV^→ is defined as follows. ${TFV}^{\to} = (tfv (1), \dots, tfv (Ψ))$

The element tfv(λ) is 1 (tfv(λ) = 1) if the inner product v(λ)^→· w(λ)^→ is 0, and 0 (tfv(λ) = 0) if the inner product is not 0. $tfv (λ) = 1 (PRO (λ) is true) if v {(λ)}^{\to} \cdot w {(λ)}^{\to} = 0$
$tfv (λ) = 0 (PRO (λ) is false) if v {(λ)}^{\to} \cdot w {(λ)}^{\to} \neq 0$

Furthermore, LIT(λ) = 1 if the truth value of the following logical formula is "true," and LIT(λ) = 0 if the logical formula is "false." $\{(LAB (λ) = v {(λ)}^{\to}) \land (tfv (λ) = 1)\} \lor \{(LAB (λ) =_{⌜} v {(λ)}^{\to})) \land (tfv (λ) = 0)\}$

That is, LIT(λ) = 1 if the truth value of the literal corresponding to the leaf node corresponding to the identifier λ is "true," and LIT(λ) = 0 if the truth value is "false." Then, a submatrix MT_TFV made up only of row vectors mt_λ ^→ = (mt_{λ, 1}, ... , mt_λ, COL) that yield LIT(λ) = 1 among the vectors in the matrix MT can be written as ${MT}_{TFV} = {(MT)}_{LIT (λ) = 1}$
If the secret sharing scheme described above is a linear secret sharing scheme, that the value corresponding to the secret information SE can be reconstructed from the values corresponding to the share information share(λ) corresponding to the identifiers λ is equivalent to that the COL-dimensional vector GV^→ belongs to the vector space formed by the row vectors mt_λ ^→ corresponding to the identifiers λ. That is, whether the value corresponding to the secret information SE can be reconstructed from the values corresponding to the share information share(λ) corresponding to the identifiers λ can be determined by determining whether or not the COL-dimensional vector GV^→ belongs to the vector space spanned by the row vectors mt_λ ^→ corresponding to the identifiers λ. The "vector space formed by the row vectors mt_λ ^→" means a vector space that can be expressed by a linear combination of the row vectors mt_λ ^→.
It is assumed that the combination of the first information and the second information is accepted if the COL-dimensional vector GV^→ belongs to a vector space "span<MT_TFV>" spanned by the row vectors mt_λ ^→ of the submatrix MT_TFV described above, and is otherwise rejected. In this way, the access structure described above is embodied. In the case where the labeled matrix LMT(MT, LAB) corresponds to the first embodiment as described above, if the access structure accepts the combination of the first information and the second information, it is described as "the access structure accepts the second information," and if the access structure does not accept the combination of the first information and the second information, it is described as "the access structure rejects the second information." $accept if {GV}^{\to} \in span < {MT}_{TFV} >$
$reject if ⌜ ({GV}^{\to} \in span < {MT}_{TFV} >)$
In the case where GV^→ ∈ span<MT_TFV>, there are constants const(µ) that satisfy the following relation, and the constants const(µ) can be determined in a polynomial time of the order of the size of the matrix MT. $SE = \sum_{μ \in SET} const (µ) \cdot share (µ)$
$\{const (µ) \in F_{q} | µ \in SET\}, SET \subseteq \{1, \dots, λ | LIT (λ) = 1\}$

In the following, a basic scheme for forming key encapsulation mechanisms (KEM) with the functional encryption scheme using the access structure will be illustrated. The basic scheme involves Setup(1^sec, (Ψ; n(1), ..., n(Ψ))), GenKey(PK, MSK, LMT(MT, LAB)), Enc(PK, M, {λ, v(λ)^→|λ = 1, ..., Ψ})(v₁(λ) = 1_F) and Dec(PK, SKS, C). In addition, the first element w₁(λ) of the second information VSET2 = (λ, w(λ)^→|λ = 1, ..., Ψ} is 1_F.
[Setup(1^sec, (Ψ; n(1), ..., n(Ψ))); setup] $Input : 1^{\sec}, (Ψ; n (1), \dots, n (Ψ))$

Output: master key information MSK, public parameters PK
In setup, the following processing is performed for each ψ = 0, ..., Ψ.
(Setup-1) Using 1^sec as an input, the order q, the elliptic curve E, the cyclic groups G₁, G₂ and G_T, the bilinear map e_ψ(Ψ = 0, ..., Ψ) for the security parameter sec are generated (param = (q, E, G₁, G₂, G_T, e_ψ).
(Setup-2) τ' ∈ F_q is selected, and the matrixes X(ψ) and X^*(ψ) that satisfy a relation: X^*(ψ) = τ' · (X(ψ)^-1)^T are selected.
(Setup-3) Coordinate transformation of the basis vectors a₁(ψ) (i = 1, ..., n(ψ) + ζ(ψ)) is performed according to formula (52) to generate n(ψ)+ζ(ψ)-dimensional basis vectors b_i(ψ) (i = 1, ..., n(ψ) + ζ(ψ)). The n(ψ)+ζ(ψ) row by n(ψ)+ζ(ψ) column matrix B(ψ) consisting of the basis vectors b_i(ψ) (i = 1, ..., n(ψ) + ζ(ψ)) is generated.
(Setup-4) Coordinate transformation of the basis vectors a_i ^*(ψ) (i = 1, ..., n(ψ) + ζ(ψ)) is performed according to formula (54) to generate n(ψ)+ζ(ψ)-dimensional basis vectors b_i ^*(ψ) (i = 1, ..., n(ψ) + ζ(ψ)). The n(ψ)+ζ(ψ) row by n(ψ)+ζ(ψ) column matrix B^*(ψ) consisting of the basis vectors b_i ^*(ψ) (i = 1, ..., n(ψ) + ζ(ψ)) is generated.
(Setup-5) A set {B^*(ψ)^}_{ψ=0,..., Ψ} of B^*(ψ)^ is set as the master key information (MSK = (B^*(ψ)^}_{ψ=0,..., Ψ}). A set {B^*(ψ)^}_{ψ=0,..., Ψ} of B(ψ)^, 1^sec and param are set as the public parameters PK. Note that B^*(ψ)^ is the matrix B^*(ψ) or a submatrix thereof, and B(ψ)^ is the matrix B(ψ) or a submatrix thereof. The set {B^*(ψ)^}_{ψ=0,..., Ψ} includes at least b₁ ^*(0), b₁ ^*(λ), ..., and b_n(λ)^*(λ) (λ = 1, ..., Ψ). The set {B(ψ)^}_{ψ=0, ..., Ψ} includes at least b₁(0), b₁(λ), ..., b_n(λ)(λ = 1, ..., Ψ). The following is an example. $\cdot n (0) + ζ (0) \geq 5, ζ (λ) = 3 \cdot n (λ)$
$\cdot {B (0)}^{\land} = {(b_{1} (0) b_{3} (0) b_{5} (0))}^{T}$
$\cdot {B (λ)}^{\land} = {(b_{1} (λ) \dots b_{n (λ)} (λ) b_{3 \cdot n (λ) + 1} (λ) \dots b_{4 \cdot n (λ)} (λ))}^{T} (λ = 1, \dots, Ψ)$
$\cdot {B^{*} (0)}^{\land} = {({b_{1}}^{*} (0) {b_{3}}^{*} (0) {b_{4}}^{*} (0))}^{T}$
$\cdot {B^{*} (λ)}^{\land} = {({b_{1}}^{*} (λ) \dots {b_{n (λ)}}^{*} (λ) {b_{2 \cdot n (λ) + 1}}^{*} (λ) \dots {b_{3 \cdot n (λ)}}^{*} (λ))}^{T} (λ = 1, \dots, Ψ)$

[GenKey (PK, MSK, LMT(MT, LAB)): Key Information Generation]

Input: public parameters PK, master key information MSK, labeled matrix LMT(MT, LAB) corresponding to first information VSET1 = {λ, v(λ)^→|λ = 1, ..., Ψ}
Output: key information SKS
(GenKey-1) The following processing is performed on the secret information SE that satisfies formulas (63) to (67). $D^{*} (0) = - SE \cdot {b_{1}}^{*} (0) + {\sum_{ι = 2}}^{I} {coef}_{ι} (0) \cdot {b_{ι}}^{*} (0)$

Note that I is a constant equal to or greater than 2 and equal to or smaller than n(0) + ζ(0). coef_i(0) ∈ Fq are constants or random numbers. The "random number" means a true random number or a pseudo-random number. The following is an example of D^*(0). Note that coef₄(0) in formula (75) is a random number. $D^{*} (0) = - SE \cdot {b_{1}}^{*} (0) + {b_{3}}^{*} (0) {coef}_{4} (0) \cdot {b_{4}}^{*} (0)$
(GenKey-2) The following processing is performed on each share(λ) (λ = 1, ..., Ψ) that satisfies formulas (63) to (67).
For λ that satisfies a relation: LAB(λ) = v(λ)^→, the following D^*(λ) is generated. $D^{*} (λ) = (share (λ) + coef (λ) \cdot v_{1} (λ)) \cdot {b_{1}}^{*} (λ) + {\sum_{ι = 2}}^{n (λ)} coef (λ) \cdot v_{ι} (λ) \cdot {b_{ι}}^{*} (λ) + {\sum_{ι = n (λ) + 1}}^{n (λ) + ζ (λ)} {coef}_{ι} (λ) \cdot {b_{ι}}^{*} (λ)$

For λ that satisfies a relation: LAB(λ) = _¬v(λ)^→, the following D^*(λ) is generated. $D^{*} (λ) = (share (λ) \cdot {\sum_{ι = 2}}^{n (λ)} v_{ι} (λ) \cdot {b_{ι}}^{*} (λ) + {\sum_{ι = n (λ) + 1}}^{n (λ) + ζ (λ)} {coef}_{ι} (λ) \cdot {b_{ι}}^{*} (λ) .$

Note that coef(λ), coef_i(λ) ∈ F_q are constants or random numbers. The following is an example.
For λ that satisfies a relation: LAB(λ) = v(λ)^→, the following D^*(λ) is generated, for example. $D^{*} (λ) = (share (λ) + coef (λ) \cdot v_{1} (λ)) \cdot {b_{1}}^{*} (λ) + {\sum_{ι = 2}}^{n (λ)} coef (λ) \cdot v_{ι} (λ) \cdot {b_{ι}}^{*} (λ)$
$+ {\sum_{ι = 2 \cdot n (λ) + 1}}^{3 \cdot n (λ)} {coef}_{ι} (λ) \cdot {b_{ι}}^{*} (λ)$

For λ that satisfies a relation: LAB(λ) = _¬v(λ)^→, the following D^*(λ) is generated, for example. $D^{*} (λ) = share (λ) \cdot {\sum_{ι = 1}}^{n (λ)} v_{ι} (λ) \cdot {b_{ι}}^{*} (λ) + {\sum_{ι = 2 \cdot n (λ) + 1}}^{3 \cdot n (λ)} {coef}_{ι} (λ) \cdot {b_{ι}}^{*} (λ)$

Note that coef(λ) and coef_i(λ) in formulas (78) and (79) are random numbers.
(GenKey-3) The following key information is generated. $SKS = (LMT (MT, LAB), D^{*} (0), D^{*} (1), \dots, D (ψ))$

[Enc(PK, M, VSET2): Encryption]

Input: public parameter PK, plaintext M, second information VSET2 = {λ, w(λ)^→|λ = 1, ..., Ψ}(w₁(λ) = 1_F)
Output: ciphertext C
(Enc-1) A ciphertext C(ψ) (ψ = 0, ..., Ψ) with a common key K is generated by the following processing. $C (0) = υ \cdot b_{1} (0) + {\sum_{ι = 2}}^{I} υ_{ι} (0) \cdot b_{ι} (0)$
$C (λ) = υ \cdot {\sum_{ι = 1}}^{n (λ)} w_{ι} (λ) \cdot b_{ι} (λ) + {\sum_{ι = n (λ) + 1}}^{n (λ) + ζ (λ)} υ_{ι} (λ) \cdot b_{ι} (λ)$

Note that u, υ_i(ψ) ∈ F_q (ψ = 0, ..., Ψ) are constants or random numbers, and the following relations hold. $({coef}_{2} (0), \dots, {coef}_{I} (0)) \cdot (υ_{2} (0), \dots, υ_{I} (0)) = υʹ$
${coef}_{ι} (λ) \cdot υ_{ι} (λ) = 0_{F} (ι = n (λ) + 1, \dots, n (λ) + ζ (λ))$

An example of u' is any one of υ₂(0), ..., υ_I(0). For example, u, υ₃(0), υ₅(0), υ_3·n(λ)+1(λ), ..., υ_4·n(λ)(λ) are random numbers, ζ(λ) = 3 · n(λ) and I = 5, and the following relations hold. $(υ_{2} (0), \dots, υ_{I} (0)) = (0_{F}, υ_{3} (0), 0_{F}, υ_{5} (0))$
$υʹ = υ_{3} (0)$
$(υ_{n (λ) + 1} (λ), \dots, υ_{3 \cdot n (λ)} (λ)) = (0_{F} \dots 0_{F})$
(Enc-2) The following common key is generated. $K = {g_{T}}^{τ \cdot τʹ \cdot υʹ} \in G_{T}$

For example, if τ = τ' = 1_F, the following relation holds. $K = {g_{T}}^{υʹ} \in G_{T}$
(Enc-3) The following ciphertext C(Ψ+1) of the plaintext M is generated using the common key K. $C (Ψ + 1) = {Enc}_{K} (M)$

The common key encryption scheme Enc can be Camellia (registered trademark) capable of encryption using the common key K, AES or exclusive-OR of the common key and the plaintext. As another simple example, Enc_K(M) may be generated as follows. Note that M ∈ G_T in formula (88). $C (Ψ + 1) = {g_{T}}^{υʹ} \cdot M$
(Enc-4) The following ciphertext is generated. $C = (VSET 2, C (0), {\{C (λ)\}}_{(λ, w (λ) \to) \in VSET 2,} C (Ψ + 1))$

Note that the subscript "w(λ)→" means "w(λ)^→."

[Dec(PK, SKS, C): Decryption]

Input: public parameter PK, key information SKS, ciphertext C
Output: plaintext M'
(Dec-1) For λ = 1, ..., Ψ, it is determined whether or not the inner product v(λ)^→· w(λ)^→ of the n(λ)-dimensional vectors v(λ)^→ and the n( λ )-dimensional vector w( λ )^→ is 0, where the n( λ )-dimensional vector v( λ )^→ is each of the labels LAB(λ) of the labeled matrix LMT(MT, LAB) included in the key information SKS and the n(λ)-dimensional vectors w(λ)^→ is included in VSET2 of the ciphertext C, and based on the determination results and the labels LAB(λ) of the labeled matrix LMT(MT, LAB), it is determined whether or not GV^→ ∈ span<MT_TFV> (formula (69) to (73)). The ciphertext C is rejected if GV^→ ∈ span<MT_TFV> is not satisfied, and is accepted if GV^→ ∈ span<MT_TFV> is satisfied.
(Dec-2) If the ciphertext C is accepted, SET c {1, ..., λ|LIT(λ) = 1} and the coefficients const(µ) (µ ∈ SET) are calculated.
(Dec-3) The following common key is generated. $K = e_{0} (C (0), D^{*} (0)) \cdot \prod_{µ \in SET \land LAB (µ) = {v (µ)}^{\to}} e_{µ} {(C (µ), D^{*} (µ))}^{const (µ)} \cdot \prod_{µ \in SET \land LAB (µ) = ⌝ {v (µ)}^{\to}} e_{µ} {(C (µ), D^{*} (µ))}^{const (µ) / ({v (µ)}^{\to} \cdot {w (µ)}^{\to})}$
From formulas (37), (56) and (83), the following relation holds. $\begin{array}{l} e_{0} (C (0), D^{*} (0)) \\ = e_{0} (υ \cdot b_{1} (0) + \sum_{ι = 2}^{I} υ_{ι} (0) \cdot b_{ι} (0), - SE \cdot {b_{1}}^{*} (0) + \sum_{ι = 2}^{I} {coef}_{ι} (0) \cdot {b_{ι}}^{*} (0)) \\ = e_{0} (υ \cdot b_{1} (0), - SE \cdot {b_{1}}^{*} (0)) \cdot \prod_{ι = 2}^{I} e_{0} (υ_{ι} (0) \cdot b_{ι} (0), {coef}_{ι} (0) \cdot {b_{ι}}^{*} (0))) \\ = e_{0} {(b_{1} (0), {b_{1}}^{*} (0))}^{- SE \cdot υ} \cdot \prod_{τ = 2}^{I} e_{0} {(b_{ι} (0), {b_{ι}}^{*} (0))}^{υ_{ι} (0) . {coef}_{ι} (0)}) \\ {\begin{matrix} = g_{T} \end{matrix}}^{τ \cdot τʹ \cdot δ (1, 1) \cdot (- SE \cdot υ)} \cdot \prod_{ι = 2}^{I} {\begin{matrix} g_{T} \end{matrix}}^{τ \cdot τʹ \cdot δ (ι, ι) \cdot υ_{ι} (0) \cdot {coef}_{ι} (0)} \\ {= g_{T}}^{τ \cdot τʹ \cdot (- SE \cdot υ + υʹ)} \end{array}$
From formulas (37), (56), (69), (76), (82) and (84) and w₁(λ) = 1_F, the following relation holds. $\begin{array}{l} \begin{array}{l} \prod_{µ \in SET \land LAB (µ) = {v (µ)}^{\to}} e_{µ} {(C (µ), D^{*} (µ))}^{const (µ)} \\ = \prod_{µ \in SET \land LAB (µ) = {v (µ)}^{\to}} e_{µ} (υ \cdot \sum_{ι = 1}^{n (µ)} w_{ι} (µ) \cdot b_{ι} (µ) + \sum_{ι = n (µ) + 1}^{n (µ) + ζ (µ)} υ_{ι} (µ) \cdot b_{ι} (µ), \\ share (µ) \cdot {b_{1}}^{*} (µ) + \sum_{ι = 1}^{n (µ)} coef (µ) \cdot v_{ι} (μ) \cdot {b_{ι}}^{*} (µ) \\ + {\sum_{ι = n (µ) + 1}^{n (µ) + ζ (µ)} {coef}_{ι} (µ) \cdot {b_{ι}}^{*} (µ))}^{const (µ)} \\ = \prod_{µ \in SET \land LAB (µ) = {v (µ)}^{\to}} {\{\begin{array}{l} e_{µ} (υ \cdot \sum_{ι = 1}^{n (µ)} w_{ι} (µ) \cdot {b_{ι}}^{*} (µ), share (µ) \cdot {b_{1}}^{*} (µ)) \\ e_{µ} (υ \cdot \sum_{ι = 1}^{n (µ)} w_{ι} (µ) \cdot b_{ι} (μ), \sum_{ι = 1}^{n (µ)} coef (µ) \cdot v_{ι} (µ) {b_{ι}}^{*} (µ)) \end{array}\}}^{const (µ)} \\ = \prod_{µ \in SET \land LAB (µ) = {v (µ)}^{\to}} {({g_{T}}^{τ \cdot τʹ \cdot υ \cdot share (µ)} \cdot \prod_{ι = 1}^{n (µ)} {g_{T}}^{τ \cdot τʹ \cdot υ \cdot coef (µ) \cdot w_{ι} (µ) \cdot v_{ι} (µ)})}^{const (µ)} \end{array} \\ = \prod_{µ \in SET \land LAB (µ) = {v (µ)}^{\to}} {g_{T}}^{τ \cdot τʹ \cdot υ \cdot const (µ) \cdot share (µ)} \end{array}$
From formulas (37), (56), (70), (77), (82) and (84), the following relation holds. $\begin{array}{l} \begin{array}{l} \prod_{μ \in SET \land LAB (μ) = ⌝ {v (μ)}^{\to}} e_{μ} {(C (μ), D^{*} (μ))}^{const (μ) / (v {(μ)}^{\to} \cdot w {(μ)}^{\to})} \\ = \prod_{μ \in SET \land LAB (μ) = ⌝ {v (μ)}^{\to}} e_{μ} (υ \cdot \sum_{ι = 1}^{n (µ)} w_{ι} (μ) \cdot {b_{ι}}^{*} (μ) + \sum_{ι = n (μ) + 1}^{n (μ) + ζ (μ)} υ_{ι} (μ) \cdot b_{ι} (μ), \\ share (μ) \cdot \sum_{ι = 1}^{n (µ)} v_{ι} (μ) \cdot {b_{ι}}^{*} (μ) + {(\sum_{ι = n (μ) + 1}^{n (μ) + ζ (μ)} {coef}_{ι} (μ) {b_{1}}^{*} (μ))}^{cons (μ) / ({v (μ)}^{\to} \cdot {w (μ)}^{\to})} \cdot \\ = \prod_{μ \in SET \land LAB (μ) = ⌝ {v (μ)}^{\to}} {\{\prod_{ι = 1}^{n (μ)} e_{μ} {(b_{ι} (μ), {b_{ι}}^{*} (μ))}^{υ \cdot share (μ) \cdot w_{i} (μ) \cdot v_{i} (μ)}\}}^{const (μ) / (v {(μ)}^{\to} \cdot w {(μ)}^{\to})} \\ = \prod_{μ \in SET \land LAB (μ) = ⌝ {v (μ)}^{\to}} {(\prod_{ι = 1}^{n (μ)} {g_{T}}^{τ \cdot τʹ \cdot υ \cdot share (μ) \cdot w_{i} (μ) \cdot v_{i} (μ)})}^{const (μ) / (v {(μ)}^{\to} \cdot w {(μ)}^{\to})} \end{array} \\ = \prod_{μ \in SET \land LAB (μ) = ⌝ {v (μ)}^{\to}} {\{{g_{T}}^{τ \cdot τʹ \cdot υ \cdot share (μ) \cdot {v (μ)}^{\to} \cdot {w (μ)}^{\to}}\}}^{const (μ) / (v {(μ)}^{\to} \cdot w {(μ)}^{\to})} \end{array}$
$= \prod_{µ \in SET \land LAB (µ) = ⌝ {v (µ)}^{\to}} {g_{T}}^{τ \cdot τʹ \cdot υ \cdot const (µ) \cdot share (µ)}$
From formulas (73) and (91) to (93), the following relation holds. $K = {g_{T}}^{τ \cdot τʹ \cdot (- SE \cdot υ + υʹ)} \cdot \prod_{µ \in SET \land LAB (µ) = {v (µ)}^{\to}} {g_{T}}^{τ \cdot τʹ \cdot υ \cdot const (µ) \cdot share (µ)} \cdot \prod_{µ \in SET \land LAB (µ) = ⌝ {v (µ)}^{\to}} {g_{T}}^{τ \cdot τʹ \cdot υ \cdot const (µ) \cdot share (µ)} = {g_{T}}^{τ \cdot τʹ \cdot (- SE \cdot υ + υʹ)} \cdot {g_{T}}^{τ \cdot τʹ \cdot υ \cdot SE} = {g_{T}}^{τ \cdot τʹ \cdot υʹ}$

For example, if τ = τ' = 1_F, the following relation holds. $K = {g_{T}}^{υʹ} \in G_{T}$
(Dec-4) The plaintext M' is generated as follows using the common key K. $Mʹ = {Dec}_{K} (C (Ψ + 1)) = {Dec}_{K} (C (Ψ + 1))$

For example, if the common key encryption scheme shown by formula (88) is used, the plaintext M' is generated as follows. $Mʹ = C (Ψ + 1) / K$
The g_T ^τ, g_T ^τ', or g_T ^τ·τ' may be used, instead of g₁, as the generator of G_T. A map that determines the correspondence between λ for the key information SKS and λ for ciphertext may be used to determine the combination of C(λ) and D*(λ), thereby performing the processing of [Dec(PK, SKS, C): Decryption]. Not only the first element w₁(λ) of the second information VSET2 = {λ, w(λ)^→|λ = 1, ..., Ψ} but also the n(λ)-th element v_n(λ)(λ) of the first information VSET1 = {λ, v(λ)^→|λ = 1, ..., Ψ} can be set at 1_F. If the element w₁(λ) is not 1_F, w(λ)^→/w₁(λ) can be used instead of w(λ)^→, and if the element v_n(λ)(λ) is not 1_F, v(λ)^→/v_n(λ)(λ) can be used instead of v(λ)^→. The second information VSET2 = {λ, w(λ)^→|λ = 1, ..., Ψ} can be used instead of the first information VSET1 = {λ, v(λ)→|λ = 1, ..., Ψ}, and the first information VSET1 = {λ, v(λ)^→|λ = 1, ..., Ψ} can be used instead of the second information VSET2 = {λ, w(λ)^→|λ = 1, ..., Ψ}. In that case, the first element v₁(λ) of the first information VSET1 = {λ, v(λ)^→|λ = 1, ..., Ψ} is set at 1_F.

Fig. 17 is a block diagram for illustrating a general configuration of a secret sharing system according to the second embodiment.
As illustrated in Fig. 17, a secret sharing system 6 according to this embodiment comprises a sharing apparatus 610, Σ_α=1 ^L h(α) share management apparatuses [PA(α, h(α)) (α = 1, ..., L, L ≥ 2, h(α) = 1, ..., H(α), H(α) ≥ 2)] 620-α-h(α), an acquisition apparatus 630 and common value generation apparatuses 640-1 to 640-L and 650, which can communicate with each other via the network 150. For simplicity of explanation, this embodiment will be described with regard to an example where there are only one sharing apparatus 610 and only one acquisition apparatus 630, there can be two or more sharing apparatuses 610 and two or more acquisition apparatuses 630. Similarly, this embodiment will be described with regard to an example where there is only one set of Σ_α=1 ^L h(α) share management apparatuses [PA(α, h(α))] 620-α-h(α), there can be a plurality of such sets.
As illustrated in Fig. 17, the set of Σ_α=1 ^L h(α) share management apparatuses [PA(α, h(α))] 620-α-h(α) is divided into a plurality of subsets SUB(α) each consisting of H(α) share management apparatuses PA(α, 1), ..., PA(α, H(α)). Each subset SUB(α) is associated with a common value generation apparatus 640-α.
Fig. 18 is a block diagram for illustrating a configuration of the sharing apparatus 610 according to the second embodiment. Figs. 19A and 19B are block diagrams for illustrating oncigurations of the common value generation apparatuses 640-1 to 640-L and 650. Fig. 20 is a block diagram for illustrating a configuration of the share management apparatus [PA(α, h(α))] 620-α-h(α) according to th second embodiment. Fig. 21 is a block diagram for illustrating a configuration of the acquisition apparatus 630 according to the second embodiment. In these drawings, the same components as those in the first embodiment are denoted by the same reference numerals as those in the first embodiment and will be only simply described below.

As illustrated in Fig. 18, the sharing apparatus 610 according to this embodiment comprises the temporary storage 111, the storage 112, the controller 113, secret sharing units 614-α (α = 1, ..., L) and the transmitter 115. The sharing apparatus 610 according to this embodiment is implemented by a predetermined program loaded to and executed by a well-known computer comprising a CPU, a RAM, a ROM and the like, for example.

As illustrated in Fig. 19A, the common value generation apparatus 640-α according to this embodiment has a coefficient setting unit 641-α and a transmitter 642-α. As illustrated in Fig. 19B, the common value generation apparatus 650 according to this embodiment has a storage 651, common information generation units 652 and 653 and a transmitter 654.

As illustrated in Fig. 20, the share management apparatus [PA(α, h(α))] 620-α-h(α) according to this embodiment has the temporary storage 121-α-h(α), the storage 122-α-h(α), the controller 123-α-h(α), share secret value generation units 621-α-h(α), 622-α-h(α) and 623-α-h(α), a selection unit 624-α-h(α), the transmitter 125-α-h(α) and the receiver 126-α-h(α). The share management apparatus [PA(α, h(α))] 620-α-h(α) according to this embodiment is implemented by a predetermined program loaded to and executed by a well-known computer comprising a CPU, a RAM, a ROM and the like, for example.

As illustrated in Fig. 21, the acquisition apparatus 630 according to this embodiment has the temporary storage 131, the storage 132, the controller 133, reconstruction units 634-α and 636-α (α = 1, ..., L), synthesis units 635 and 637 and the receiver 136. The acquisition apparatus 630 according to this embodiment is implemented by a predetermined program loaded to and executed by a well-known computer comprising a CPU, a RAM, a ROM and the like, for example.

Next, a secret sharing processing according to this embodiment will be described.
According to this embodiment, which is an application of the first embodiment, the basis vectors b_i ^*(ψ) (formula (55)), which are master key information of the functional encryption scheme using the access structure, are shared, and the key information D^*(ψ) is reconstructed from the calculation results of the share information obtained by the secret sharing. In the following, an example will be described where general key information D^*(ψ) expressed by formula (74), (76) or (77), for example, is reconstructed. Of course, however, the same processing can be applied to specific key information D^*(ψ) expressed by formula (75), (78) or (79), for example.
Each element expressed by formula (98) that forms the basis vectors b_i ^*(ψ) expressed by formula (55) is expressed by formula (99). ${χ_{i, β}}^{*} (ψ) \cdot κ_{2} \cdot g_{2} \in G_{2} (i = 1, \dots, n (ψ) + ζ (ψ), β = 1, \dots, n (ψ) + ζ (ψ))$
$θ (ψ, i, β) \cdot g_{2} \in G_{2}$

Note that the following relation holds. $θ (ψ, i, β) = {χ_{i, β}}^{*} (ψ) \cdot κ_{2} \in F_{q}$

That is, the basis vectors b_i ^*(ψ) expressed by formula (55) are expressed as follows. ${b_{i}}^{*} (ψ, θ (i, 1) \cdot g_{2}, \dots, θ (ψ, i, n (ψ) + ζ (ψ)) \cdot g_{2}) \in {G_{2}}^{n (ψ) + ζ (ψ)}$

From this formula, it can be seen that the basis vectors b_i ^*(ψ) can be shared by expanding the first embodiment to multidimensional. The secret information is reconstructed by a linear calculation of the share information, so that the reconstruction processing can also be achieved by regarding the result of a linear calculation of share information for each dimension obtained by multidimensional secret sharing as share information. Thus, it can also be seen that the reconstruction of the key information D^*(ψ) can be achieved by expanding the first embodiment to multidimensional.

In the following, differences from the first embodiment will be mainly described, and descriptions of common things will be omitted.

[Preprocessing]

As a preprocessing for the secret sharing processing according to this embodiment, the pieces of information θ(ψ, i, β) ∈ F_q for identifying the pieces of secret information θ(ψ, i, β) · g₂ ∈ G₂ (i = 1, ..., n(ψ)+ζ(ψ), β = 1, ..., n(ψ)+ζ(ψ)) which are elements of the basis vectors b_i ^* (ψ) are stored in the storage 112 of the sharing apparatus 610. The secret information SE and the share information share(λ) (λ = 1, ..., Ψ) that satisfy formulas (63) to (67) are stored in the storage 651 of the common value generation apparatus 650. The labeled matrix LMT(MT, LAB) corresponding to the first information that comprises the set {v(λ)^→}_{λ=1,..., Ψ} of the n(λ)-dimensional vectors v(λ)^→ expressed by formula (60) is stored in the storage 122-α-h(α) of each share management apparatus 620-α-h(α). Note that the labeled matrix LMT(MT, LAB) is common to all the share management apparatus PA(α, h(α)) 620-α-h(α).

[General Description of Secret Sharing Processing]

Figs. 22 and 23 are diagrams for generally illustrating the secret sharing processing according to the second embodiment. In the following, the secret sharing processing according to this embodiment will be generally described with reference to Figs. 22 and 23.
According to this embodiment, first, the sharing apparatus 610 (Fig. 17) independently shares, according to a predetermined secret sharing scheme, the value corresponding to each element θ(ψ, i, β) · g₂ of the basis vectors b_i ^*(ψ) among the subset SUB(α) each consisting of H(α) share management apparatuses PA(α, 1), ..., PA(α, H(α) to generate pieces of share information SH(ψ, i, β, α, h(α)) (h(α) = 1, ..., H(α)). In this embodiment, the values corresponding to the elements θ(ψ, i, β) · g₂ of the basis vectors b_i ^*(ψ) are θ(ψ, i, β), and the specific secret sharing scheme is the same as that according to any of modifications 1, 2 and 4 of the first embodiment except that there is a plurality of targets of secret sharing. All of θ(ψ, i, β) in this embodiment are shared in the same manner as in any of modifications 1, 2 and 4 of the first embodiment. That is, the secret sharing scheme according to this embodiment is the secret sharing scheme according to any of modifications 1, 2 and 4 of the first embodiment in which θ is replaced with θ(ψ, i, β). For example, the following share information SH(ψ, i, β, α, h(α)) (h(α) = 1, ..., H(α)) is generated. $SH (ψ, i, β, α, h (α)) = (φ (h (α)), f (α, φ (h (α)))) \in F_{q}$

Note that f(α, ω) = θ(ψ, i, β), and ω ∈ F_q is a predetermined element of the finite field F_q.
The pieces of share information SH(ψ, i, β, α, h(α)) are transmitted to the respective share management apparatuses [PA(α, h(α))] 620-α-h(α) (α = 1, ..., L) via the network 150 and shared among the apparatuses (Steps S61 and S61').
Each share management apparatus [PA(α, h(α))] 620-α-h(α) (α = 1, ..., L) having received the corresponding share management information SH(ψ, i, β, α, h(α)) (h(α) = 1, ..., H(α)) performs a common calculation, which is common in each subset SUB(α), on the common information common in the subset SUB(α) and the share information SH(ψ, i, β, α, h(α)) (h(α) = 1, ..., H(α)) to generate share secret value DSH(ψ, α, h(α)). The common information shared in different subsets SUB(α) are independent of each other. The common calculation is a linear calculation. The common information according to this embodiment includes SE(α) (FNC2^-1(SE) → SE(1), ..., SE(α), ..., SE(L)) obtained from the secret information SE, share(λ, α) (FNC2'^-1(share(λ)) → share(λ, 1), ..., share(λ, α), ..., share(λ, L)) obtained from the share information share(λ) and coef_i(0, α), coef(λ, α), coef_i(λ, α) ∈ F_q that are constants or random numbers, for example. FNC2^-1 represents an inverse function of a linear calculation function FNC2. FNC2'^-1 represents an inverse function of a linear calculation function FNC2'. The linear calculation function FNC2 is a function that outputs the result of a linear calculation of L input values, and an example the linear calculation function FNC2 is a function that outputs the value of a linear combination of L values. For which value of coef_i (0, α) and coef_i (λ, α) are adopted as the common information and whether coef_i(0, α), coef(λ, α), coef_i(λ, α), SE(α) and share(λ, α) are constants or random numbers depend on the structure of the generated key information D^*(ψ). Each share management apparatus [PA(α, h(α))] 620-α-h(α) according to this embodiment generates the share secret value DSH(0, α, h(α)) (α = 1, ..., L, L ≥ 2, h(α) = 1, ..., H(α), H(α) ≥ 2) for ψ = 0 as follows (FNC1), for example. ${SHb}_{i} (0, α, h (α)) = (SH (0, i, 1, α)), \dots, SH (0, i, I, α, h (α))$
$DSH$ $(0, α, h (α)) = - SE (α) \cdot {SHb}_{1} * (0, α, h (α)) \cdot g_{2} + {Σ_{ι = 2}}^{I} {coef}_{ι} (0, α) \cdot {SHb}_{ι}^{*} (0, α, h (α)) \cdot g_{2}$
Furthermore, each share management apparatus [PA(α, h(α))] 620-α-h(α) according to this embodiment generates the share secret value DSH(λ, α, h(α)) (α = 1, ..., L, L ≥ 2, h(α) = 1, ..., H(α), H(α) ≥ 2) for each λ (λ = 1, ..., Ψ) according to the following formulas (104) to (106) (FNC1'), for example. ${SHb}_{i}^{*} (λ, α, h (α)) = (SH (λ, i, 1, α, h (α)), \dots, SH (λ, i, n (λ) + ζ (λ), α, h (α))$
$DSH (λ, α, h (α)) = (share (λ, α) + coef (λ, α) \cdot v_{1} (λ)) \cdot {SHb}_{1}^{*} (λ, α, h (α)) \cdot g_{2} + {\sum_{ι = 2}}^{n (λ)} coef (λ, α) \cdot v_{ι} (λ) \cdot {SHb}_{ι}^{*} (λ, α, h (α)) \cdot g_{2} + {\sum_{ι = n (λ) + 1}}^{n (λ) + ζ (λ)} {coef}_{ι} (λ, α) \cdot {SHb}_{ι}^{*} (λ, α, h (α)) \cdot g_{2}$
$DSH (λ, α, h (α)) = share (λ, α) \cdot {\sum_{ι = 1}}^{n (λ)} v_{ι} (λ) \cdot {SHb}_{1}^{*} (λ, α, h (α)) \cdot g_{2} + {\sum_{ι = n (λ) + 1}}^{n (λ) + ζ (λ)} {coef}_{ι} (λ, α) \cdot {SHb}_{ι}^{*} (λ, α, h (α)) \cdot g_{2}$

The share secret value DSH(ψ, α, h(α)) output from each share management apparatus [PA(α, h(α))] 620-α-h(α) is transmitted to the acquisition apparatus 630 via the network 150 (Steps S62 and S62').
The acquisition apparatus 630 generates reconstructed secret values SUBSK(ψ, α) (ψ = 0, ..., ψ, α = 1, ..., L) for each subset SUB(α) by performing a reconstruction processing for the subset SUB(α) according to the secret sharing scheme in Steps S61 and S61' described above using a plurality of share secret values DSH(ψ, α, h(α)) for the subset SUB(α).
The acquisition apparatus 630 according to this embodiment sets SUBSK(0, α) shown below as the reconstructed secret value for ψ = 0. $SUBSK (0, α) = - SE (α) \cdot {b_{1}}^{*} (0) + {Σ_{ι = 2}}^{I} {coef}_{ι} (0, α) \cdot {b_{ι}}^{*} (0)$

The acquisition apparatus 630 according to this embodiment sets the reconstructed secret values SUBSK(λ, α) for each λ = 1, ..., Ψ according to the following formula (108) or (109). $SUBSK (λ, α) = (share (λ, α) + coef (λ, α) \cdot v_{1} (λ)) \cdot {b_{1}}^{*} (λ) + {\sum_{ι = 2}}^{n (λ)} coef (λ, α) \cdot v_{ι} (λ) \cdot {b_{ι}}^{*} (λ)$
$+ {\sum_{ι = n (λ) + 1}}^{n (λ) + ζ (λ)} {coef}_{ι} (λ, α) \cdot {b_{ι}}^{*} (λ)$
$SUBSK (λ, α) = share (λ, α) \cdot {\sum_{ι = 1}}^{n (λ)} v_{ι} (λ) \cdot {b_{1}}^{*} (λ) + {\sum_{ι = n (λ) + 1}}^{n (λ) + ξ (λ)} {coef}_{ι} (λ, α) \cdot {b_{ι}}^{*} (λ)$

These processings can be achieved by performing the reconstruction processing shown in the first embodiment for each dimension (order) of the share secret value DSH(ψ, α, h(α)). That is, although each share secret value DSH(ψ, α, h(α)) is a vector, the reconstruction processing described above can be achieved by performing the reconstruction processing (Step S134) shown in the first embodiment for each dimension (order) of the vector. For example, assume that the i-th elements of the share secret values DSH(ψ, α, h(α)) which are the vectors used in this reconstruction processing are expressed as follows. $\begin{array}{l} (φ_{1} (α), {dsh}_{1} (α)) \\ \dots \\ (φ_{R (α)} (α), {dsh}_{R (α)} (α)) \end{array}$

In this case, each coefficient λ_ρ(x) (ρ = 1, ..., R(α) is obtained by calculation of formula (11), and the i-th reconstructed secret value SUBSK(ψ, α) for ψ is obtained by the following calculation. $λ_{1} (ω) \cdot {dsh}_{1} (α) + \dots + λ_{R (α)} (ω) \cdot {dsh}_{R (α)} (α)$

Thus, the reconstructed secret values SUBSK(ψ, α) are obtained by performing the same processing for each ψ and each i (Steps S63 and S63').
The acquisition apparatus 630 generates generation information D (ψ) (ψ = 0, ..., Ψ) using the reconstructed secret values SUBSK(ψ, α) (ψ = 0, ..., Ψ, α = 1, ..., L) generated for each subset SUB(α), and outputs the generation information D^*(ψ) (D^*(ψ) = FNC2(SUBSK(ψ, 1), ..., (SUBSK(ψ, α), ..., SUBSK(ψ, L))).
For example, the acquisition apparatus 630 generates the generation information D^*(ψ) by linear combination of the reconstructed secret values SUBSK(ψ, α). For example, if the secret sharing has been performed so as to satisfy the following formulas (110-1) and (110-2), the acquisition * apparatus 630 generates D (ψ) (ψ = 0, ..., Ψ) according to the following formula (111) (Steps S64 and S64'). $FNC 2 (SUBSK (0, 1), \dots, (SUBSK (0, α), \dots, (SUBSK (0, L))) = SUBSK (0, 1) + \dots + SUBSK (0, α) + \dots + SUBSK (0, L)$
$FNC 2 ʹ (SUBSK (λ) (1), \dots, (SUBSK (λ, α), \dots, (SUBSK (λ, L))) = SUBSK (λ) (1) + \dots + SUBSK (λ, α) + \dots + SUBSK (λ, L)$
$D^{*} (ψ) = SUBSK (ψ, 1) + \dots + SUBSK (ψ, α) + \dots + SUBSK (ψ, L)$

[Processing of Sharing Apparatus (Steps S61 and S61')]

Fig. 24 is a diagram for illustrating a processing of the sharing apparatus according to the second embodiment. In the following, details of the processing of the sharing apparatus 610 will be described with reference to this drawing.
First, the controller 113 of the sharing apparatus 610 (Fig. 18) sets ψ at 0 (ψ = 0) and stores the setting in the temporary storage 111 (Step S6101). The controller 113 sets α at 1 and β at 1 (α = 1, β = 1) and stores the settings in the temporary storage 111 (Step S6102). Then, the controller 113 of the sharing apparatus 610 sets i at 1 (i = 1) and stores the stting in the temporary storage 111 (Step S6103).
Then, the information θ(ψ, i, β) ∈ F_q for identifying the secret information θ(ψ, i, β) · g₂ ∈ G₂ (i = 1, ..., n(ψ)+ζ(ψ), β = 1, ..., n(ψ,) + ζ(ψ,)) is read from the storage 112 and input to the secret sharing unit 614-α (α = 1, ..., L). The secret sharing unit 614-α performs the secret sharing of each piece of information θ(ψ, i, β) ∈ F_q to generate the following H(α) pieces of share information for the subset SUB(α) and outputs the share information (Step S6104). $SH (ψ, i, β, α, 1), \dots, SH (ψ, i, β, α, H (α))$

For example, in Step S6104, the processing of Step S112 in the first embodiment is performed for each piece of information θ(ψ, i, β).
Then, the controller 113 determines whether or not β stored in the temporary storage 111 is n(ψ)+ζ(ψ) (Step S6105). If it is not determined that β = n(ψ)+ζ(ψ), the controller 113 sets β + 1 as a new β and stores the setting in the temporary storage 111 (Step S6106). After Step S6106, the process returns to Step S6104.
On the other hand, if it is determined in Step S6105 that β = n(ψ) + ζ(ψ), the controller 113 sets β at 1 (β = 1) and stores the setting in the temporary storage 111 (Step S6107). Then, the controller 113 determines whether or not the value i stored in the temporary storage 111 is n(ψ) + ζ(ψ) (Step S6108). If it is not determined that i = n(ψ) + ζ(ψ), the controller 113 sets i + 1 as a new i and stores the setting in the temporary storage 111 (Step S6109). After Step S6109, the process returns to Step S6104.
On the other hand, if it is determined in Step S6108 that i = n(ψ) + ζ(ψ), the controller 113 determined whether or not the value α stored in the temporary storage 111 equals to L (Step S6110). If it is not determined that α = L, the controller 113 sets α + 1 as a new α and stores the setting in the temporary storage 111 (Step S6111). After Step S6111, the process returns to Step S6103.
On the other hand, if it is determined in Step S6110 that α = L, the controller 113 determines whether or not the value ψ stored in the temporary storage 111 equals to Ψ (Step S6112). If it is not determined that ψ = Ψ, the controller 113 sets ψ + 1 as a new ψ and stores the setting in the temporary storage 111 (Step S6113). After Step S6113, the process returns to Step S6102.
On the other hand, if it is determined in Step S6112 that ψ = Ψ, SH(ψ, i, β, α, 1), ..., SH(ψ, i, β, α, H(α)) output from each secret sharing unit 614-α are sent to the transmitter 115. The transmitter 115 transmits the following share information to the corresponding share management apparatus [PA(α, h(α))] 620-α-h(α) (α = 1, ..., L) via the network 150 (Step S6114). $SH (ψ, i, β, α, h (α)) (i = 1, \dots, n (ψ) + ζ (ψ), β = 1, \dots, n (ψ) + ζ (ψ))$

That is, the share information SH(ψ, i, β, 1, h(1)) is transmitted to the share management apparatus [PA(1, 1)] 620-1-1, the share information SH(ψ, i, β, 2, h(2)) is transmitted to the share management apparatus [PA(1, 2)] 620-1-2, ..., and the share information SH(ψ, i, β, L, H(L)) is transmitted to the share management apparatus [PA(L, H(L))] 620-L-H(L).

[Processing of Common value Generation Apparatus]

Each common value generation apparatus 640-α (α = 1, ..., L) (Fig. 19A) generates the common information coef_i(0, α), coef(λ, α), coef_i(λ, α) shared among the share management apparatuses [PA(α, h(α))] 620-α-h(α) (h(α) = 1, ..., H(α)) forming the subset SUB(α) associated with the common value generation apparatus 640-α. According to this embodiment, the common information coef_i(0, α), coef(λ, α), coef_i(λ, α) are random numbers or constants output from the common information generation unit 641-α, and the transmitter 642-α transmits the common information coef_i(0, α), coef(λ, α), coef_i(λ, α) to respective share management apparatuses [PA(α, h(α))] 620-α-h(α) (h(α) = 1, ..., H(α)) forming the subset SUB(α).
The common value generation apparatus 650 (Fig. 19B) generates SE(α)'s (α = 1, ..., L) from the secret information SE and share(λ, α)'s (α = 1, ..., L) from the share information share(λ). According to this embodiment, the common information generation unit 652 generates SE(1), ..., SE(α), ..., SE(L) that satisfy the following relation from the secret information SE stored in the storage 651. ${FNC 2}^{- 1} (SE) \to SE (1), \dots, SE (α), \dots, SE (L)$

For example, the common information generation unit 652 generates SE(1), ..., SE(α), ..., SE(L) that satisfy the following relation. $SE = SE (1) + \dots + SE (α) + \dots + SE (L)$

According to this embodiment, the common information generation unit 653 generates share(λ, 1), ..., share(λ, α), ..., share(λ, L) from the share information share(λ) stored in the storage 651 as follows. ${FNC 2 ʹ}^{- 1} (share (λ)) \to share (λ) (1), \dots, share (λ, α), \dots, share (λ, L)$

For example, the common information generation unit 653 generates share(λ, 1), ..., share(λ, α), ..., share(λ, L) that satisfy the following relation. $share (λ) = share (λ) (1) + \dots + share (λ, α) + \dots + share (λ, L)$

SE(α) and share(λ, α) (α = 1, ..., L, λ = 1, ..., Ψ) are sent to the transmitter 654, and the transmitter 654 transmits SE(α) and share(λ, α) to respective share management apparatuses [PA(α, h(α))] 620-α-h(α) forming the subset SUB(α).

[Processing of Share Management Apparatus (Step S62)]

Fig. 25 is a diagram for illustrating a processing of the share management apparatus [PA(α, h(α))] 620-α-h(α) (α = 1, ..., L) according to the second embodiment. In the following, the processing of the share management apparatus [PA(α, h(α))] 620-α-h(α) according to this embodiment will be described with reference to this drawing.
First, the receiver 126-α-h(α) of the share management apparatus [PA(α, h(α))] 620-α-h(α) (Fig. 20) receives the transmitted share information SH(ψ, i, β, α, h(α)) and stores the share information in the storage 122-α-h(α) (Step S6201). Note that the processing of Step S6201 can be omitted if the processing of Step S6201 was performed in the past, and the share information SH(ψ, i, β, α, h(α)) has already been stored in the storage 122-α-h(α) of the share management apparatus [PA(α, h(α))] 620-α-h(α).
The receiver 126-α-h(α) of the share management apparatus [PA(α, h(α))] 620-α-h(α) receives the common information coef_i(0, α), coef(λ,α), coef_i(λ, α), SE(α) and share(λ, α) transmitted from the common value generation apparatuses 640-α and 650 and stores the common information in the storage 122-α-h(α) (Step S6202).
Then, the share secret value generation unit 621-α-h(α) reads pieces of the share information SH(0, i, β, α, h(α)) and the common information coef_i(0, α) and SE(α) from the storage 122-α-h(α). The share secret value generation unit 621-α-h(α) generates the share secret value DSH(0, α, h(α)) that satisfies formula (103) from these pieces of information and outputs the share secret value (Step S6203).
Then, the controller 123-α-h(α) sets λ at 1 (λ = 1) and stores the setting in the temporary storage 121-α-h(α) (Step S6204). The selection unit 624-α-h(α) refers to the label LAB(λ) of the labeled matrix LMT(MT, LAB) stored in the storage 122-α-h(α) to determine whether or not LAB(λ) = v(λ)^→ (Step S6205).
If LAB(λ) = v(λ)^→, the share secret value generation unit 622-α-h(α) reads pieces of the share information SH(λ, i, β, α, h(α)), the common information coef(λ, α), coef_i(λ, α) and share(α) and the n(λ)-dimensional vector v(λ)^→ identified by the label LAB(λ) from the storage 122-α-h(α). The share secret value generation unit 622-α-h(α) generates the share secret value DSH(λ, α, h(α)) that satisfies formula (105) from these pieces of information and outputs the share secret value (Step S6206). On the other hand, if LAB(λ) = ¬v(λ)^→, the share secret value generation unit 623-α-h(α) reads pieces of the share information SH(λ, i, β, α, h(α)), the common information coef_i(λ, α) and share(α) and the n(λ)-dimensional vector v(λ)^→ identified by the label LAB(λ) from the storage 122-α-h(α). The share secret value generation unit 623-α-h(α) generates the share secret value DSH(λ, α, h(α)) that satisfies formula (106) from these pieces of information and outputs the share secret value (Step S6207).
Once the share secret value DSH(λ, α, h(α)) for λ is generated, the controller 123-α-h(α) determines whether or not the value λ stored in the temporary storage 121-α-h(α) is Ψ (Step S6208), sets λ + 1 as a new λ if it is not determined that λ = Ψ (Step S6209) and proceeds to the processing of Step S6205. On the other hand, if it is determined that λ = Ψ, the generated share secret values DSH(0, α, h(α)) and DSH(λ, α, h(α)) (λ = 1, ..., ψ) are sent to the transmitter 125-α-h(α). The transmitter 125-α-h(α) transmits the share secret values DSH(0, α, h(α)) and DSH(λ, α, h(α)) to the acquisition apparatus 630 via the network 150 (Step S6210).

[Processing of Acquisition Apparatus (Steps S63, S63', S64 and S64')]

Fig. 26 is a diagram for illustrating a processing of the acquisition apparatus according to the second embodiment.
The share secret values DSH(0, α, h(α)) and DSH(λ, α, h(α)) (λ = 1, ..., Ψ) transmitted from each share management apparatus PA(α, h(α)) 620-α-h(α) are received by the receiver 136 of the acquisition apparatus 630 (Fig. 21) and stored in the storage 132 (Step S6301).
Then, the controller 133 determines whether or not the number of share secret values DSH(0, α, h(α)) and DSH(λ, α, h(α)) stored in the storage 132 is equal to or greater than a number required to reconstruct the secret value (referred to as a "required number" hereinafter) (Step S6302). If it is not determined that the number of share secret values DSH(0, α, h(α)) and DSH(λ, α, h(α)) stored in the storage 132 is equal to or greater than the required number, the process returns to step S6301.
On the other hand, if it is determined that the number of share secret values DSH(0, α, h(α)) and DSH(λ, α, h(α)) stored in the storage 132 is equal to or greater than the required number, the controller 133 sets α at 1 (α = 1) and stores the setting in the temporary storage 131 (Step S6303). Then, the required number of share secret values DSH(0, α, h(α)) (h(α) = 1, ..., H(α)) corresponding to the subset SUB(α) are read from the storage 132 and input to each reconstruction unit 634-α (α = 1, ..., L). Each reconstruction unit 634-α generates the reconstructed secret value SUBSK(0, α) that satisfies formula (107) from the input share secret values DSH(0, α, h(α)) (h(α) = 1, ..., H(α)) by performing the reconstruction processing for each subset SUB(α), and outputs the reconstructed secret value SUBSK(0, α) for the subset SUB(α) (α = 1, ..., L) (Step S6304).
Then, the controller 133 sets λ, at 1 (λ = 1) and stores the setting in the temporary storage 131 (Step S6305). Then, the required number of share secret values DSH(λ, α, h(α)) (h(α) = 1, ..., H(α)) corresponding to the subset SUB(α) are read from the storage 132 and input to each reconstruction unit 636-α (α = 1, ..., L). Each reconstruction unit 636-α generates the reconstructed secret value SUBSK(λ, α) that satisfies formula (108) or (109) from the input share secret values DSH(λ, α, h(α)) (h(α) = 1, ..., H(α)) by performing the reconstruction processing for each subset SUB(α), and outputs the reconstructed secret value SUBSK(λ, α) for the subset SUB(α) (Step S6306).
Then, the controller 133 determines whether or not the value λ stored in the temporary storage 131 is Ψ (Step S6307). If it is not determined that λ = Ψ, the controller 133 sets λ + 1 as a new λ and stores the setting in the temporary storage 131 (Step S6308). After Step S6308, the process returns to Step S6306.
On the other hand, if it is determined that λ = Ψ, the controller 133 determines whether or not the value λ stored in the temporary storage 131 is L (Step S6309). If it is not determined that α = L, the controller 133 sets α + 1 as a new α and stores the setting in the temporary storage 131 (Step S6310). After Step S6310, the process returns to Step S6304.
On the other hand, if it is determined in Step S6309 that α = L, the reconstructed secret value SUBSK(0, α) (α = 1, ..., L) output from each reconstruction unit 634-α (α = 1, ..., L) are transmitted to the synthesis unit 635. The synthesis unit 635 generates the following key information D^*(0) from the reconstructed secret values SUBSK(0, α) (α = 1, ..., L) and outputs the key information. $D^{*} (0) = FNC 2 (SUBSK (0, 1), \dots, SUBSK (0, α), \dots, SUBSK (0, L))$

For example, the key information D^*(0) is generated according to formula (111) with ψ = 0 and output (Step S6311).
Furthermore, the reconstructed secret values SUBSK(λ, α) (α = 1, ..., L) output from each reconstruction unit 634-α (α = 1, ..., L) is transmitted to the synthesis unit 637. The synthesis unit 637 generates the following key information D^*(λ) (λ = 1, ..., Ψ) from the reconstructed secret values SUBSK(λ, α) (α = 1, ..., L) and outputs the key information. $D^{*} (λ) = FNC 2 (SUBSK (λ) (1), \dots, SUBSK (λ, α), \dots, SUBSK (λ, L))$

For example, the key information D^*(λ) (λ = 1, ..., Ψ) is generated according to formula (111) with ψ = λ (λ = 1, ..., Ψ) and output (Step S6312).

Modification 1 of the second embodiment is an application of modification 1 of the first embodiment to the second embodiment. That is, according to modification 1 of the second embodiment, the values corresponding to the elements θ(ψ, i, β) · g₂ of the basis vectors b_i ^*(ψ) are θ(ψ, i, β) · g₂, and each share management apparatus [PA(α, h(α))] 620-α-h(α) generates the following DSH(0, α, h(α)) as the share secret value for ψ = 0 (FNC1) $DSH (0, α, h (α)) = - SE (α) \cdot {SHb}_{1}^{*} (0, α, h (α)) \cdot g_{2} + {\sum_{ι = 2}}^{I} {coef}_{ι} (0, α) \cdot {SHb}_{ι}^{*} (0, α, h (α))$

Furthermore, each share management apparatus [PA(α, h(α))] 620-α-h(α) according to this embodiment generates the following DSH(λ, α, h(α)) (λ = 1, ..., Ψ) as the share secret value for each λ according to the following formula (121) or (122), for example (FNC1'). $DSH (λ, α, h (α)) = (share (λ, α) + coef (λ, α) \cdot v_{1} (λ)) \cdot {SHb}_{1}^{*} (λ, α, h (α)) + {\sum_{ι = 2}}^{n (λ)} coef (λ, α) \cdot v_{ι} (λ) \cdot {SHb}_{ι}^{*} (λ, α, h (α)) + {\sum_{ι = n (λ) + 1}}^{n (λ) + ζ (λ)} {coef}_{ι} (λ, α) \cdot {SHb}_{ι}^{*} (λ, α, h (α))$
$DSH (λ, α, h (α)) = share (λ, α) \cdot {\sum_{ι = 1}}^{n (λ)} v_{ι} (λ) \cdot {SHb}_{1}^{*} (λ, α, h (α)) + {\sum_{ι = n (λ) + 1}}^{n (λ) + ζ (λ)} {coef}_{ι} (λ, α) \cdot {SHb}_{ι}^{*} (λ, α, h (α))$

In the other respects, modification 1 is the same as the second embodiment.
A secret sharing system 7 according to modification 1 of the second embodiment comprises a sharing apparatus 710 that replaces the sharing apparatus 610 and share management apparatuses 720-α-h(α) (α = 1, ..., L) that replace the share management apparatuses 620-α-h(α) (α = 1, ..., L). The remainder of the configuration is the same as that according to the second embodiment.
According to modification 1 of the second embodiment, instead of Step S6104, the information θ(ψ, i, β) · g₂ ∈ G₂ (i = 1, ..., n(ψ) + ζ(ψ), β = 1, ..., n(ψ) + ζ(ψ)) is read from the storage 112 and input to a secret sharing unit 714-α (α = 1, ..., L) (Fig. 27). The secret sharing unit 714-α shares each piece of information θ(ψ, i, β) · g₂ ∈ G₂ to generate H(α) pieces of share information shown below for the subset SUB(α) and outputs the share information. $SH (ψ, i, β, α, 1), \dots, SH (ψ, i, β, α, H (α))$

The secret sharing scheme for the information θ(ψ, i, β) · g₂ ∈ G₂ is the same as that according to the first embodiment. That is, according to this embodiment, the secret sharing scheme according to the first embodiment in which θ · g is replaced with θ(ψ, i, β) · g₂ is performed. For example, the following share information SH(ψ, i, β, α, h(α)) (h(α) = 1, ..., H(α)) is generated. $SH (ψ, i, β, α, h (α)) = (φ (h (α))), f (α, φ (h (α)))) \cdot g_{2} \in G_{2}$

Note that a relation: f(α, ω) = θ(ψ, i, β) holds, and ω ∈ F_q is a predetermined element of the finite field F_q (Step S7104).
According to modification 1 of the second embodiment, instead of Step S6203 in the second embodiment, the share secret value generation unit 721-α-h(α) reads pieces of the share information SH(0, i, β, α, h(α)) and the common information coef_i(0, α) and SE(α) from the storage 122-α-h(α). The share secret value generation unit 721-α-h(α) generates the share secret value DSH(0, α, h(α)) that satisfies formula (120) from these pieces of information and outputs the share secret value (Step S7203).
According to modification 1 of the second embodiment, instead of Step S6206 in the second embodiment, the share secret value generation unit 722-α-h(α) reads pieces of the share information SH(λ, i, β, α, h(α)), the common information coef(λ, α), coef_i(λ, α) and share(α) and the n(λ)-dimensional vector v(λ)^→ identified by the label LAB(λ) from the storage 122-α-h(α). The share secret value generation unit 722-α-h(α) generates the share secret value DSH(λ, α, h(α)) that satisfies formula (121) from these pieces of information and outputs the share secret value (Step S7206). Furthermore, instead of Step S6207 in the second embodiment, the share secret value generation unit 723-α-h(α) reads pieces of the share information SH(λ, i, β α, h(α)), the common information coef_i(λ, α) and share(α) and the n(λ)-dimensional vector v(λ)^→ identified by the label LAB(λ) from the storage 122-α-h(α). The share secret value generation unit 723-α-h(α) generates the share secret value DSH(λ, α, h(α)) that satisfies formula (122) from these pieces of information and outputs the share secret value (Step S7207).

The secret sharing scheme or the reconstruction scheme in the second embodiment or modification 1 thereof can be modified as in the first embodiment or modification 3 thereof.

[Other Modifications or the like]

The present invention is not limited to the embodiments described above. For example, each calculation defined on the finite field F_q described above can be replaced with a calculation defined on a finite ring Z_q having an order q. An example of the method of replacing each calculation defined on the finite field F_q with a calculation defined on the finite ring Z_q is a method that permits q other than a prime number or a power thereof. Furthermore, although a processing of generating key information on a functional encryption as the generation information has been described in the second embodiment, other generation information may be generated.
The various processing described above can be performed not only sequentially in the order described above but also in parallel with each other or individually as required or depending on the processing power of the apparatus that performs the processing. Furthermore, of course, other various modifications can be appropriately made to the processing without departing form the spirit of the present invention.
In the case where the configurations described above are implemented by a computer, the specific processing of the apparatuses are described in a program. The computer executes the program to implement the processing described above.
The program that describes the specific processing can be recorded in a computer-readable recording medium. The computer-readable recording medium may be any type of recording medium, such as a magnetic recording device, an optical disk, a magneto-optical recording medium and a semiconductor memory.
The program may be distributed by selling, transferring or lending a portable recording medium, such as a DVD and a CD-ROM, in which the program is recorded, for example. Alternatively, the program may be distributed by storing the program in a storage device in a server computer and transferring the program from the server computer to other computers via a network.
The computer that executes the program first temporarily stores, in a storage device thereof, the program recorded in a portable recording medium or transferred from a server computer, for example. Then, when performing the processing, the computer reads the program from the recording medium and performs the processing according to the read program. In an alternative implementation, the computer may read the program directly from the portable recording medium and perform the processing according to the program. As a further alternative, the computer may perform the processing according to the program each time the computer receives the program transferred from the server computer. As a further alternative, the processing described above may be performed on an application service provider (ASP) basis, in which the server computer does not transmit the program to the computer, and the processing are implemented only through execution instruction and result acquisition. The programs according to the embodiments of the present invention include a quasi-program, which is information to be processed by a computer (such as data that is not a direct instruction to a computer but has a property that defines the processing performed by the computer).
Although a predetermined program is executed on a computer to implement the specific processing of each apparatus in the embodiments described above, at least part of the specific processing may be implemented by hardware by itself.

[DESCRIPTION OF REFERENCE NUMERALS]

1 to 7: secret sharing system
110, 210, 410, 510, 610, 710: sharing apparatus
120 to 720: share management apparatus
130, 330, 430, 530, 630: acquisition apparatus
140, 640, 650: common value generation apparatus

Claims

A secret sharing system, comprising:
a sharing apparatus;

Σ_α=1 ^L h(α) share management apparatuses PA(α, h(α)), where α = 1, ..., L, L ≥ 2, h(α) = 1, ..., H(α), H(α) ≥ 2; and

an acquisition apparatus,

wherein the sharing apparatus includes:
a secret sharing unit that independently shares a value corresponding to each element θ(ψ, i, β) · g₂ of basis vectors b_i ^*(ψ) among each subset SUB(α) consisting of H(α) share management apparatuses PA(α, 1), ..., PA(α, H(α)) according to a predetermined secret sharing scheme to generate share information SH(ψ, i, β, α, h(α)) corresponding to each element θ(ψ, i, β) · g₂, where h(α) = 1, ..., H(α), provided that Ψ denotes an integer equal to or greater than 1, ψ denotes an integer equal to or greater than 0 and equal to or smaller than Ψ, ψ = 0, ..., Ψ, n(ψ) denotes an integer equal to or greater than 1, ζ(ψ) denotes an integer equal to or greater than 0, a generator of a cyclic group G₂ is denoted by g₂, and the basis vectors b_i ^*(ψ) = (θ(ψ, i, 1) · g₂, ..., θ(ψ, i, n(ψ)+ζ(ψ)) · g₂) ∈ G₂ ^n(ψ)+ζ(ψ) are n(ψ)+ζ(ψ)-dimensional basis vectors for θ(ψ, i, β), where i = 1, ..., n(ψ)+ζ(ψ), β = 1, ..., n(ψ) + ζ(ψ), n(ψ) ≥ 1, ζ(ψ) ≥ 1, elements of the basis vectors b_i ^*(ψ) are n(ψ)+ζ(ψ) elements of the cyclic group G₂,

each of the share management apparatuses PA(α, h(α)) includes:
a share secret value generation unit that generates share secret values DSH(ψ, α, h(α)) by performing a common calculation common in the subset SUB(α) on common information shared in the subset SUB(α) and the share information Soh(ψ, i, β, α, h(α)), where h(α) = 1, ..., H(α), and

the acquisition apparatus includes:
a reconstruction unit that generates reconstructed secret values SUBSK(ψ, α) for each subset SUB(α) from a plurality of the share secret values DSH(ψ, α, h(α)) for the subset SUB(α) by performing reconstruction processing for the subset SUB(α) according to the secret sharing scheme; and

a synthesis unit that generates generation information D^*(ψ) from the reconstructed secret values SUBSK(ψ, α).
The secret sharing system according to claim 1, wherein pieces of the common information shared in different subsets SUB(α) are independent from each other.
The secret sharing system according to claim 1, wherein the common calculation is a linear calculation.
The secret sharing system according to claim 2, wherein the common calculation is a linear calculation.
The secret sharing system according to claim 1, wherein the synthesis unit generates the generation information D^*(ψ) by a linear combination of the reconstructed secret values SUBSK(ψ, α).
The secret sharing system according to claim 2, wherein the synthesis unit generates the generation information D^*(ψ) by a linear combination of the reconstructed secret values SUBSK(ψ, α).
The secret sharing system according to claim 3, wherein the synthesis unit generates the generation information D^*(ψ) by a linear combination of the reconstructed secret values SUBSK(ψ, α).
The secret sharing system according to claim 4, wherein the synthesis unit generates the generation information D^*(ψ) by a linear combination of the reconstructed secret values SUBSK(ψ, α).
The secret sharing system according to any one of claims 1 to 8, wherein the value corresponding to each element θ(ψ, i, β) · g₂ of the basis vectors b_i ^*(ψ) are θ(ψ, i, β),
the common information includes coef_i(0, α), coef(λ, α), coef_i(λ, α), SE(α) and share(λ, α), provided that λ denotes an integer equal to or greater than 1 and equal to or smaller than Ψ, λ = 1, ..., Ψ, and
the share secret value generation unit generates: $DSH (0, α, h (α)) = - SE (α) \cdot {SHb}_{1}^{*} (0, α, h (α)) \cdot g_{2} + {\sum_{ι = 2}}^{I} {coef}_{ι} (0, α) \cdot {SHb}_{ι}^{*} (0, α, h (α)) \cdot g_{2}$

as a share secret value for ψ = 0, provided that ${SHb}_{i}^{*} (0, α, h (α)) = (SH (0, i, 1, α, h (α)), \dots, SH (0, i, I, α, h (α));$
and $DSH (λ, α, h (α)) = (share (λ, α) + coef (λ, α) \cdot v_{1} (λ)) \cdot {SHb}_{1}^{*} (λ, α, h (α)) \cdot g_{2} + {\sum_{ι = 2}}^{n (λ)} coef (λ, α) \cdot v_{ι} (λ) \cdot {SHb}_{ι}^{*} (λ, α, h (α)) \cdot g_{2}$
$+ {\sum_{ι = n (λ) + 1}}^{n (λ) + ζ (λ)} {coef}_{ι} (λ, α) \cdot {SHb}_{ι}^{*} (λ, α, h (α)) \cdot g_{2}$

or $DSH (λ, α, h (α)) = share (λ, α) \cdot {\sum_{ι = 1}}^{n (λ)} v_{ι} (λ) \cdot {SHb}_{1}^{*} (λ, α, h (α)) \cdot g_{2} + {\sum_{ι = n (λ) + 1}}^{n (λ) + ζ (λ)} {coef}_{ι} (λ, α) \cdot {SHb}_{ι}^{*} (λ, α, h (α)) \cdot g_{2}$

as a secret share value for each λ, provided that ${SHb}_{i}^{*} (λ, α, h (α)) = (SH (λ, i, 1, α, h (α)), \dots, SH (λ, i, n (λ) + ζ (λ), α, h (α))$

and v(λ)^→ = (v₁(λ), ..., vn_(λ)(λ)) are n(λ)-dimensional vectors.
The secret sharing system according to any one of claims 1 to 8, wherein the value corresponding to each element θ(ψ, i, β) · g₂ of the basis vectors b_i ^*(ψ) are θ(ψ, i, β) · g₂,
the common information includes coef_i(0, α), coef(λ, α), coef_i(λ, α), SE(α) and share(λ, α), provided that λ denotes an integer equal to or greater than 1 and equal to or smaller than Ψ, λ = 1, ..., Ψ, and
the share secret value generation unit generates: $DSH (0, α, h (α)) = - SE (α) \cdot {SHb}_{1}^{*} (0, α, h (α)) + {\sum_{ι = 2}}^{I} {coef}_{ι} (0, α) \cdot {SHb}_{ι}^{*} (0, α, h (α))$

as a share secret value for ψ = 0, provided that ${SHb}_{i}^{*} (0, α, h (α)) = (SH (0, i, 1, α, h (α)), \dots, SH (0, i, I, α, h (α));$
and $DSH (λ, α, h (α)) = (share (λ, α) + coef (λ, α) \cdot v_{1} (λ)) \cdot {SHb}_{1}^{*} (λ, α, h (α)) + {\sum_{ι = 2}}^{n (λ)} coef (λ, α) \cdot v_{ι} (λ) \cdot {SHb}_{ι}^{*} (λ, α, h (α)) + {\sum_{ι = n (λ) + 1}}^{n (λ) + ζ (λ)} {coef}_{ι} (λ, α) \cdot {SHb}_{ι}^{*} (λ, α, h (α))$

or $DSH (λ, α, h (α)) = share (λ, α) \cdot {\sum_{ι = 1}}^{n (λ)} v_{ι} (λ) \cdot {SHb}_{1}^{*} (λ, α, h (α)) + {\sum_{ι = n (λ) + 1}}^{n (λ) + ζ (λ)} {coef}_{ι} (λ, α) \cdot {SHb}_{ι}^{*} (λ, α, h (α))$

as a secret share value for each λ, provided that ${SHb}_{i}^{*} (λ, α, h (α)) = (SH (λ, i, 1, α, h (α)), \dots, SH (λ, i, n (λ) + ζ (λ), α, h (α))$

and v(λ)^→ = (v₁(λ), ..., v_n(λ)(λ)) are n(λ)-dimensional vectors.
The secret sharing system according to claim 9, wherein the reconstruction unit generates: $SUBSK (0, α) = - SE (α) \cdot {b_{1}}^{*} (0) + {\sum_{ι = 2}}^{I} {coef}_{ι} (0, α) \cdot {b_{ι}}^{*} (0)$

as a reconstructed secret value for ψ = 0; and $SUBSK (λ, α) = (share (λ, α) + coef (λ, α) \cdot v_{1} (λ)) \cdot {b_{1}}^{*} (λ) + {\sum_{ι = 2}}^{n (λ)} coef (λ, α) \cdot v_{ι} (λ) \cdot {b_{ι}}^{*} (λ) + {\sum_{ι = n (λ) + 1}}^{n (λ) + ζ (λ)} {coef}_{ι} (λ, α) \cdot {b_{ι}}^{*} (λ)$

or $SUBSK (λ, α) = share (λ, α) \cdot {\sum_{ι = 1}}^{n (λ)} v_{ι} (λ) \cdot {b_{1}}^{*} (λ) + {\sum_{ι = n (λ) + 1}}^{n (λ) + ξ (λ)} {coef}_{ι} (λ, α) \cdot {b_{ι}}^{*} (λ)$

as a reconstructed secret value for each λ.
The secret sharing system according to claim 10, wherein the reconstruction unit generates:
SUBSK(0, α) = -SE(α) · b₁ ^*(0) + Σ_i=2 ^I coef_i(0, α)·b_i ^*(0) as a reconstructed secret value for ψ = 0; and $SUBSK (λ, α) = (share (λ, α) + coef (λ, α) \cdot v_{1} (λ)) \cdot {b_{1}}^{*} (λ) + {\sum_{ι = 2}}^{n (λ)} coef (λ, α) \cdot v_{ι} (λ) \cdot {b_{ι}}^{*} (λ) + {\sum_{ι = n (λ) + 1}}^{n (λ) + ζ (λ)} {coef}_{ι} (λ, α) \cdot {b_{ι}}^{*} (λ)$

or $SUBSK (λ, α) = share (λ, α) \cdot {\sum_{ι = 1}}^{n (λ)} v_{ι} (λ) \cdot {b_{1}}^{*} (λ) + {\sum_{ι = n (λ) + 1}}^{n (λ) + ξ (λ)} {coef}_{ι} (λ, α) \cdot {b_{ι}}^{*} (λ)$

as a reconstructed secret value for each λ.
A sharing apparatus that independently shares a value corresponding to each element θ(ψ, i, β) · g₂ of basis vectors b_i ^*(ψ) among each subset SUB(α) consisting of H(α) share management apparatuses PA(α, 1), ..., PA(α, H(α)) according to a predetermined secret sharing scheme to generate share information SH(ψ, i, β, α, h(α)) corresponding to each element θ(ψ, i, β) · g₂, where α = 1, ..., L, L ≥ 2, h(α) = 1, ..., H(α), H(α) ≥ 2, provided that Ψ denotes an integer equal to or greater than 1, ψ denotes an integer equal to or greater than 0 and equal to or smaller than Ψ, ψ = 0, ..., Ψ, n(ψ) denotes an integer equal to or greater than 1, ζ(ψ) denotes an integer equal to or greater than 0, a generator of a cyclic group G₂ is denoted by g₂, and the basis vectors b_i ^*(ψ) = (θ(ψ, i, 1) · g₂, ..., θ(ψ, i, n(ψ)+ζ(ψ)) · g₂) ∈ G₂ ^n(ψ)+ζ(ψ) are n(ψ)+ζ(ψ)-dimensional basis vectors for θ(ψ, i, β), where i = 1, ..., n(ψ)+ζ(ψ), β = 1, ..., n(ψ)+ζ(ψ), n(ψ) ≥ 1, ζ(ψ) ≥ 1, the elements of the basis vectors b_i ^*(ψ) are n(ψ)+ζ(ψ) elements of the cyclic group G₂.
A share management apparatus that generates share secret values DSH(ψ, α, h(α)) by performing a common calculation common in each subset SUB(α) consisting of H(α) share management apparatuses PA(α, 1), ..., PA(α, H(α)), where α = 1, ..., L, L ≥ 2, h(α) = 1, ..., H(α), H(α) ≥ 2, on common information shared in the subset SUB(α) and share information SH(ψ, i, β, α, h(α)) obtained by independently sharing a value corresponding to each element θ(ψ, i, β) · g₂ of a basis vectors b_i ^*(ψ) among the subset SUB(α), provided that h(α) = 1, ..., H(α), Ψ denotes an integer equal to or greater than 1, ψ denotes an integer equal to or greater than 0 and equal to or smaller than Ψ, ψ = 0, ..., Ψ, n(ψ) denotes an integer equal to or greater than 1, ζ(ψ) denotes an integer equal to or greater than 0, a generator of a cyclic group G₂ is denoted by g₂, and the basis vectors are n(ψ)+ζ(ψ)-dimensional basis vectors b_i ^*(ψ) = (θ(ψ, i, 1) · g₂, ..., θ(ψ, i, n(ψ + ζ(ψ)) · g₂) ∈ G₂ ^n(ψ)+ζ(ψ) for θ(ψ i, β), where i = 1, ..., n(ψ)+ζ(ψ), β = 1, ..., n(ψ) + ζ(ψ), n(ψ) ≥ 1, ζ(ψ) ≥ 1, the elements of the basis vectors b_i ^*(ψ) are n(ψ)+ζ(ψ) elements of the cyclic group G₂.
An acquisition apparatus, comprising:
a reconstruction unit that generates reconstructed secret values SUBSK(ψ, α) for each subset SUB(α) from a plurality of share secret values DSH(ψ, α, h(α)) for the subset SUB(α) by performing a reconstruction processing for the subset SUB(α) according to a predetermined secret sharing scheme, provided that Ψ denotes an integer equal to or greater than 1, ψ denotes an integer equal to or greater than 0 and equal to or smaller than Ψ, ψ = 0, ..., Ψ, SUB(α) denotes the subset consisting of H(α) share management apparatuses PA(α, 1), ..., PA(α, H(α)), α = 1, ..., L, L ≥ 2, h(α) = 1, ..., H(α), H(α) ≥ 2; and

a synthesis unit that generates generation information D^*(ψ) from the reconstructed secret values SUBSK(ψ, α).
A secret sharing method performed by a sharing apparatus, Σ_α=1 ^L h(α) share management apparatuses PA(α, h(α)), where α = 1, ..., L, L ≥ 2, h(α) = 1, ..., H(α), H(α) ≥ 2, and an acquisition apparatus, the method comprising:
(A) a step of independently sharing, at the sharing apparatus, a value corresponding to each element θ(ψ, i, β) · g₂ of basis vectors b_i ^*(ψ) among each subset SUB(α) consisting of H(α) share management apparatuses PA(α, 1), ..., PA(α, H(α)) according to a predetermined secret sharing scheme to generate share information SH(ψ, i, β, α, h(α)) corresponding to each element θ(ψ, i, β) · g₂, where h(α) = 1, ..., H(α), provided that Ψ denotes an integer equal to or greater than 1, ψ denotes an integer equal to or greater than 0 and equal to or smaller than Ψ, ψ = 0, ..., Ψ, n(ψ) denotes an integer equal to or greater than 1, ζ(ψ) denotes an integer equal to or greater than 0, a generator of a cyclic group G₂ is denoted by g₂, and the basis vectors b_i ^*(ψ) = (θ(ψ, i, 1) · g₂, ..., θ(ψ, i, n(ψ) + ζ(ψ)) · g₂) ∈ G₂ ^n(ψ)+ζ(ψ) are an n(ψ)+ζ(ψ)-dimensional basis vectors for θ(ψ, i, β), where i = 1, ..., n(ψ)+ζ(ψ), β = 1, ..., n(ψ) + ζ(ψ), n(ψ) ≥ 1, ζ(ψ) ≥ 1, the elements of the basis vectors b_i ^*(ψ) are n(ψ)+ζ(ψ) elements of the cyclic group G₂;

(B) a step of generating, at each of the share management apparatuses PA(α, h(α)), share secret values DSH(ψ, α, h(α)) by performing a common calculation common in the subset SUB(α) on common information shared in the subset SUB(α) and the share information SH(ψ, i, β, α, h(α)), where h(α) = 1, ..., H(α);

(C) a step of generating, at the acquisition apparatus, reconstructed secret values SUBSK(ψ, α) for each subset SUB(α) from a plurality of the share secret values DSH(ψ, α, h(α)) for the subset SUB(α) by performing a reconstruction processing for the subset SUB(α) according to the secret sharing scheme; and

(D) a step of generating, the acquisition apparatus, generation information D^*(ψ) from the reconstructed secret values SUBSK(ψ, α).
The secret sharing method according to claim 16, wherein pieces of the common information shared in different subsets SUB(α) are independent from each other.
The secret sharing method according to claim 16, wherein the common calculation is a linear calculation.
The secret sharing method according to claim 17, wherein the common calculation is a linear calculation.
The secret sharing method according to claim 16, wherein the step (D) includes a step of generating the generation information D^*(ψ) by a linear combination of the reconstructed secret values SUBSK(ψ, α).
The secret sharing method according to claim 17, wherein the step (D) includes a step of generating the generation information D^*(ψ) by a linear combination of the reconstructed secret values SUBSK(ψ, α).
The secret sharing method according to claim 18, wherein the step (D) includes a step of generating the generation information D^*(ψ) by a linear combination of the reconstructed secret values SUBSK(ψ, α).
The secret sharing method according to claim 19, wherein the step (D) includes a step of generating the generation information D^*(ψ) by a linear combination of the reconstructed secret values SUBSK(ψ, α).
The secret sharing method according to any one of claims 16 to 23, wherein the value corresponding to each element θ(ψ, i, β) · g₂ of the basis vectors b_i ^*(ψ) are θ(ψ, i, β),
the common information includes coef_i(0, α), coef(λ, α), coef_i(λ, α), SE(α) and share(λ, α), provided that λ denotes an integer equal to or greater than 1 and equal to or smaller than Ψ, λ = 1, ..., Ψ, and
the step (B) includes:
(B-1) a step of generating $DSH (0, α, h (α)) = - SE (α) \cdot {SHb}_{1}^{*} (0, α, h (α)) \cdot g_{2} + {\sum_{ι = 2}}^{I} {coef}_{ι} (0, α) \cdot {SHb}_{ι}^{*} (0, α, h (α)) \cdot g_{2}$

as a share secret value for ψ = 0, provided that ${SHb}_{i}^{*} (0, α, h (α)) = (SH (0, i, 1, α, h (α)), \dots, SH (0, i, I, α, h (α));$
and

(B-2) a step of generating $DSH (λ, α, h (α))$
$= (share (λ, α) + coef (λ, α) \cdot v_{1} (λ)) \cdot {SHb}_{1}^{*} (λ, α, h (α)) \cdot g_{2} + {\sum_{ι = 2}}^{n (λ)} coef (λ, α) \cdot v_{ι} (λ) \cdot {SHb}_{ι}^{*} (λ, α, h (α)) \cdot g_{2} + {\sum_{ι = n (λ) + 1}}^{n (λ) + ζ (λ)} {coef}_{ι} (λ, α) \cdot {SHb}_{ι}^{*} (λ, α, h (α)) \cdot g_{2}$

or $DSH (λ, α, h (α)) = share (λ, α) \cdot {\sum_{ι = 1}}^{n (λ)} v_{ι} (λ) \cdot {SHb}_{1}^{*} (λ, α, h (α)) \cdot g_{2} + {\sum_{ι = n (λ) + 1}}^{n (λ) + ζ (λ)} {coef}_{ι} (λ, α) \cdot {SHb}_{ι}^{*} (λ, α, h (α)) \cdot g_{2}$

as a secret share value for each λ, provided that ${SHb}_{i}^{*} (λ, α, h (α)) = (SH (λ, i, 1, α, h (α)), \dots, SH (λ, i, n (λ) + ζ (λ), α, h (α))$

and v(λ)^→ = (v₁(λ), ..., v_n(λ)(λ)) are n(λ)-dimensional vectors.
The secret sharing method according to any one of claims 16 to 23, wherein the value corresponding to each element θ(ψ, i, β) · g₂ of the basis vectors b_i ^*(ψ) are θ(ψ, i, β) · g₂,
the common information includes coef_i(0, α), coef(λ, α), coef_i(λ, α), SE(α) and share(λ, α), provided that λ denotes an integer equal to or greater than 1 and equal to or smaller than Ψ, λ = 1, ..., Ψ, and
the step (B) includes:
(B-1) a step of generating $DSH (0, α, h (α)) = - SE (α) \cdot {SHb}_{1}^{*} (0, α, h (α)) + {\sum_{ι = 2}}^{I} {coef}_{ι} (0, α) \cdot {SHb}_{ι}^{*} (0, α, h (α))$

as a share secret value for ψ = 0, provided that ${SHb}_{i}^{*} (0, α, h (α)) = (SH (0, i, 1, α, h (α)), \dots, SH (0, i, I, α, h (α));$
and

(B-2) a step of generating $DSH (λ, α, h (α)) = (share (λ, α) + coef (λ, α) \cdot v_{1} (λ)) \cdot {SHb}_{1}^{*} (λ, α, h (α)) + {\sum_{ι = 2}}^{n (λ)} coef (λ, α) \cdot v_{ι} (λ) \cdot {SHb}_{ι}^{*} (λ, α, h (α)) + {\sum_{ι = n (λ) + 1}}^{n (λ) + ζ (λ)} {coef}_{ι} (λ, α) \cdot v_{ι} (λ) \cdot {SHb}_{ι}^{*} (λ, α, h (α))$

or $DSH (λ, α, h (α)) = share (λ, α) \cdot {\sum_{ι = 1}}^{n (λ)} v_{ι} (λ) \cdot {SHb}_{1}^{*} (λ, α, h (α)) + {\sum_{ι = n (λ) + 1}}^{n (λ) + ζ (λ)} {coef}_{ι} (λ, α) \cdot {SHb}_{ι}^{*} (λ, α, h (α))$

as a secret share value for each λ, provided that ${SHb}_{i}^{*} (λ, α, h (α)) = (SH (λ, i, 1, α, h (α)), \dots, SH (λ, i, n (λ) + ζ (λ), α, h (α))$

and v(λ)^→ = (v₁(λ), ..., v_n(λ)(λ)) are n(λ)-dimensional vectors.
The secret sharing method according to claim 24 wherein the step (C) includes:
(C-1) a step of generating $SUBSK (0, α) = - SE (α) \cdot {b_{1}}^{*} (0) + {\sum_{ι = 2}}^{I} {coef}_{ι} (0, α) \cdot {b_{ι}}^{*} (0)$

as a reconstructed secret value for ψ = 0; and

(C-2) a step of generating $SUBSK (λ, α) = (share (λ, α) + coef (λ, α) \cdot v_{1} (λ)) \cdot {b_{1}}^{*} (λ) + {\sum_{ι = 2}}^{n (λ)} coef (λ, α) \cdot v_{ι} (λ) \cdot {b_{ι}}^{*} (λ) + {\sum_{ι = n (λ) + 1}}^{n (λ) + ζ (λ)} {coef}_{ι} (λ, α) \cdot {b_{ι}}^{*} (λ)$

or $SUBSK (λ, α) = share (λ, α) \cdot {\sum_{ι = 1}}^{n (λ)} v_{ι} (λ) \cdot {b_{1}}^{*} (λ) + {\sum_{ι = n (λ) + 1}}^{n (λ) + ξ (λ)} {coef}_{ι} (λ, α) \cdot {b_{ι}}^{*} (λ)$

as a reconstructed secret value for each λ.
The secret sharing method according to claim 25, wherein the step (C) includes:
(C-1) a step of generating $SUBSK (0, α) = - SE (α) \cdot {b_{1}}^{*} (0) + {\sum_{ι = 2}}^{I} {coef}_{ι} (0, α) \cdot {b_{ι}}^{*} (0)$

as a reconstructed secret value for ψ = 0; and

(C-2) a step of generating $SUBSK (λ, α) = (share (λ, α) + coef (λ, α) \cdot v_{1} (λ)) \cdot {b_{1}}^{*} (λ) + {\sum_{ι = 2}}^{n (λ)} coef (λ, α) \cdot v_{ι} (λ) \cdot {b_{ι}}^{*} (λ) + {\sum_{ι = n (λ) + 1}}^{n (λ) + ζ (λ)} {coef}_{ι} (λ, α) \cdot {b_{ι}}^{*} (λ)$

or $SUBSK (λ, α) = share (λ, α) \cdot {\sum_{ι = 1}}^{n (λ)} v_{ι} (λ) \cdot {b_{1}}^{*} (λ) + {\sum_{ι = n (λ) + 1}}^{n (λ) + ξ (λ)} {coef}_{ι} (λ, α) \cdot {b_{ι}}^{*} (λ)$

as a reconstructed secret value for each λ.
A program that makes a computer function as a sharing apparatus according to claim 13.
A program that makes a computer function as a share management apparatus according to claim 14.
A program that makes a computer function as an acquisition apparatus according to claim 15.
A computer-readable recording medium that stores a program that makes a computer function as a sharing apparatus according to claim 13.
A computer-readable recording medium that stores a program that makes a computer function as a share management apparatus according to claim 14.
A computer-readable recording medium that stores a program that makes a computer function as an acquisition apparatus according to claim 15.